James E. Anderson, Anne C. Choe, and Rita M. Molesworth are Partners at Willkie Farr & Gallagher LLP. This post is based on a Willkie memorandum by Mr. Anderson, Ms. Choe, Ms. Molesworth, Justin L. Browder, Adam Aderton, and Aliceson (Kristy) Littman.
Executive Summary
On October 26, 2022, by a 3-2 vote, the Securities and Exchange Commission proposed to require SEC-registered investment advisers to conduct both documented due diligence before hiring, and continued oversight of, third-parties when outsourcing certain functions necessary to the adviser’s provision of investment advice. Proposed Rule 206(4)-11 appears to be the latest SEC effort to expand registered investment advisers’ obligations through prescriptive rules under the Advisers Act. If adopted, the proposals would require advisers to:
- conduct due diligence before outsourcing and to monitor service providers’ performance and reassess whether to retain them periodically;
- make and/or keep books and records related to the due diligence and monitoring requirements;
- amend Form ADV to collect census-type information about advisers’ use of service providers, including their relationship to the adviser and the type of services rendered; and
- conduct due diligence and monitoring of third-party record keepers and to obtain reasonable assurances that they will meet certain standards of service.
I. Overview
Many advisers employ a layered approach to serving their clients, providing some services themselves and outsourcing others. Commonly outsourced functions include data and record management, software services, the creation of specific indexes or trading models and tools, trading desks, accounting and valuation services, risk management, artificial intelligence tools developed for trading, and cybersecurity.[1] Advisers often also outsource more clerical, administrative, or essential needs found in many types of businesses, including email, real estate leases, and licenses for off-the-shelf software. Outsourcing generally has expedited and aided investment advisers in providing services to their clients in efficient and cost-effective ways.
The SEC’s proposal seeks to address the risk of third-party service failures that would impair an adviser’s ability to perform required advisory functions by mandating documented due diligence and continued oversight of third parties providing “core advisory services.” The proposal would require investment advisers to conduct detailed diligence before engaging in an outsourced core advisory service, provide disclosure related to these services, conduct periodic monitoring of third-party providers to ensure their reliability, and maintain detailed recordkeeping related to functions necessary for providing investment advisory services.
The proposals would mandate new disclosures to advisory clients on Form ADV, including disclosing service provider names and locations, the types of services provided by the third party, and other information about the relationship to the adviser, including whether the outsourced third-party service provider relies on its own subcontractors. Core advisory services under the proposals would include model development, trade execution, provision of bespoke indexes, subadvisory services, platforms for robo-advisory services, cybersecurity, and record keeping. Interestingly, the release does not reference ESG-related service providers despite the Commission’s recent focus on ESG issues. According to the Proposing Release, the SEC intends these diligence and continuing monitoring requirements to diminish the risk of service provider outages and to expedite record retrieval, both by potentially requiring duplicate copies of records stored at the adviser and potentially even requiring databases to be formatted so that records can be retrieved in a format desired by the SEC. Due diligence and monitoring would be required for services going forward, including those engaged before the compliance date that the adviser continues employing in its business after the compliance date.[2]
II. Definition of a “Covered Function”
Proposed Rule 206(4)-11 would establish an oversight framework for SEC-registered advisers who outsource a “covered function,” which is defined as a function or service that: (1) is necessary to provide advisory services in compliance with the Federal securities laws, and (2) if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services. The definition of covered functions is meant to exclude clerical, ministerial, utility, or general office functions or services, but it would include compliance functions, including outsourcing a compliance consultant or a CCO.[3]
Not all Commissioners agreed with the proposed definitions. Commissioners Uyeda and Peirce objected to the proposed rule’s definition of a “covered function” as overly broad. Commissioner Uyeda specifically highlighted that services considered “in compliance with the federal securities laws” could encompass many tasks traditionally thought of as ministerial (such as printing services, when employed in delivering prospectuses).
III. Changes to Form ADV
Proposed amendments to Form ADV would require disclosure of the names and locations of any third-party service provider, as well as a summary description of the services the third party provides for the adviser. The SEC proposal would add new item 7.C on Schedule D of Form ADV Part 1A, which lists thirteen specific items in a checklist that are deemed “covered functions.” The items in the list include the following:
- Adviser/Subadviser;
- Client Servicing;
- Cybersecurity;
- Investment Guideline/Restriction Compliance;
- Investment Risk; • Portfolio Management;
- Portfolio Accounting;
- Pricing;
- Reconciliation;
- Regulatory Compliance;
- Trading Desk;
- Trade Communication and Allocation;
- Valuation; and
- “Other.”
Persons performing “one or more covered functions” who are not “supervised persons” of the investment adviser, as defined in Section 2(a)(25) of the Advisers Act, would be deemed “service providers” under the proposed rule and would need to be disclosed on Form ADV. The Form ADV disclosures would require disclosure of the service provider’s name, location, a description of the services provided, identification of the service provider as a related person of the adviser (an adviser affiliate or a person under common control with the adviser), if applicable, and the date the service provider began providing service to the adviser.[4] Service providers who are supervised persons of the adviser, however, are covered under Form ADV already and are not subject to separate disclosure under the proposed rule.[5] See the appendix at the end of this client alert for a copy of the proposed amendments to Form ADV.
IV. Nature of the Diligence and Monitoring Requirements
Firms outsourcing a covered function to a service provider would be required to conduct initial due diligence before retaining the third-party provider. Advisers would need to develop processes to monitor service providers for the length of their engagement.[6] Documentation reflecting this diligence and oversight would have to be maintained for the duration of the service provider’s relationship with the investment adviser and for at least five years after terminating an outsourced service provider.
The release makes clear that the SEC views these outsourced functions as the responsibility of the registered adviser. As a result, the proposal would require “reasonable due diligence” before engaging a service provider to perform a covered function.[7] The proposal exhorts advisers engaging a service provider to familiarize themselves with the service providers’ organizational controls, operating principles, and on-site implementation of covered functions to ensure that the service provider can deliver the necessary, bargained-for advisory functions. The diligence requirement in proposed Rule 206(4)- 11(a)(1)(i)–(vi) would mandate that an adviser reasonably identify and determine a service provider can perform a covered function both before engagement and over time. The diligence inquiry would require advisers to comply with six elements when performing their due diligence:
(i) Identify the nature and scope of the covered function the service provider is to perform;
(ii) Identify and determine how it would mitigate and manage the potential risks to clients or to the investment adviser’s ability to perform its services, resulting from engaging a service provider to perform a covered function and engaging that service provider to perform the covered function;
(iii) Determine that the service provider has the competence, capacity, and resources necessary to perform the covered function in a timely and effective manner;
(iv) Determine whether the service provider has any subcontracting arrangements that would be material to the service provider’s performance of the covered function, and identifying and determining how the investment adviser will mitigate and manage potential risks to clients or to the adviser’s ability to perform its advisory services in light of any such subcontracting arrangement;
(v) Obtain reasonable assurance from the service provider that it is able to, and will, coordinate with the adviser for purposes of the adviser’s compliance with the Federal securities laws; and
(vi) Obtain reasonable assurance from the service provider that it is able to, and will, provide a process for orderly termination of its performance of the covered function.[8]
Advisers would be required to maintain documentation concerning each element of the diligence process for each service provider providing a covered function. The SEC did not specify the types of documentation required for each of the elements, instructing advisers instead to conduct a facts and circumstances analysis about what would be the most effective descriptive documentation.
The seeming breadth of the proposed rule means that advisers could be faced with the prospect of retaining a wide variety of documentation.[9] Different sorts of records might be produced to describe, for example: a covered function’s nature and scope; a risk analysis and the mitigation strategies employed by the adviser and service provider; a service provider’s relevant competencies; the nature of any of the service provider’s subcontracting agreements and any resulting conflicts with the adviser. Different records also may be necessary to provide reasonable assurances that the service provider can operate and comply with the Federal securities laws and to document timely an effective termination and transition of services if requested. The Proposing Release recommends written agreements, memos to file, databases, or other appropriate records documenting the particular scrutinized feature; unlike the cybersecurity risk management proposed rules, however, the proposed rule does not require an adviser to have a written agreement with its service providers.
Monitoring requirements under the proposed rule track the SEC’s diligence requirements and include an evaluation of the same six elements as the initial diligence to determine whether the covered function should remain outsourced with the specific provider. The SEC has not mandated a particular period of time for reporting or monitoring. Advisers may consider performance reports received from the service provider; the time, location, and summary of findings of any financial, operational, or third-party assessments of the service provider; identification of any new or increased service provider risks and a summary of how the adviser will mitigate or manage those risks; amendments to written agreements with a service provider; and any records of service failures that could affect performance.
The release discusses the need for advisers to learn how their service providers will execute functions on behalf of advisory clients to mitigate risk. The appropriate scope of risk mitigation is a potential area of some tension within the industry, as third-party service providers may refuse to divulge more extensive information about their operations and their service architecture’s reliability. Advisers, on the other hand, would have to publicize their reliance on specific outside services, which could provide their clients and competitors with information on how they structure their business.
To conduct required diligence and to ensure service continues without interruptions, the SEC recommends that investment advisers communicate with their service providers to ensure that mitigation plans are in place and to ensure that service provider and adviser databases are mutually compatible for sharing data related to recordkeeping. The SEC also noted that advisers and service providers would be expected to coordinate their efforts to meet the adviser’s compliance obligations under the rule, notwithstanding that the goal of outsourced arrangements is to alleviate the burdens imposed on advisers in areas where they may not have supervised persons with direct expertise in handling certain functions.
V. Recordkeeping Requirements
The proposed amendments would change the Advisers Act books and records rule, Rule 204-2, to require advisers to make and retain specific records related to diligence and ongoing monitoring assessments, effectively subjecting bookkeeping to the same diligence required of an outsourced “covered function” while requiring further diligence requirements particular to recordkeeping. The new rule also would require advisers to retain copies of any written agreement, including any amendments, appendices, exhibits, and attachments, entered into with a service provider regarding covered functions for the duration of service and up to five years after the outsourced services terminate.
The proposed amendments to Rule 204-2 would impose specific requirements on outsourced record keepers. All third-party record keepers employed by an adviser would have to comply with a comprehensive oversight framework, consisting of due diligence, monitoring, and recordkeeping elements, specifically the six-element diligence and periodic monitoring requirements prescribed for enlisting service providers to provide covered functions discussed above. Beyond these diligence requirements, an adviser would be required to obtain reasonable assurances that its third-party record keeper could meet four standards. These standards address a third party record keeper’s ability to:
(i) adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the recordkeeping rule applicable to the adviser;
(ii) make and/or keep records that meet all of the requirements of the recordkeeping rule applicable to the adviser;
(iii) provide access to electronic records; and
(iv) ensure the continued availability of records if the third party’s operations or relationship with the adviser cease.
Documentation and risk mitigation strategies likely would vary across different record storage and management systems. Advisers would have to understand the recordkeeping system and have a mitigation policy in place. The SEC specifically wants advisers to ensure that the data management service is recording relevant data required by the securities laws and maintaining their records in a manner permitting prompt retrieval and access upon the SEC’s request. Under the proposals, the adviser would have to monitor the record keepers’ internal processes and retain its own oversight regime to prevent gaps or delays in record retrieval.
VI. Comment Period and Compliance Date
Comment Period. As of the date of this client alert, the Proposing Release has not yet been published in the Federal Register. The public comment period ends 30 days after publication in the Federal Register or 60 days after its publication on sec.gov, whichever is longer. In addition to specific proposals included in the Proposing Release, the SEC posed 86 questions to solicit additional public feedback.
Compliance Date. If adopted, the amendments generally would have a compliance date of 10 months after the amendments’ effective date.
VII. Conclusion
These proposed amendments to the Advisers Act, including proposed Rule 206(4)-11, the changes to the recordkeeping Rule 204-2, and changes to Form ADV would pose novel challenges for advisers, as the Proposing Release has mostly left undefined the nature and form of what would be required as diligence documentation. These proposals, if adopted, would increase the regulatory burdens of investment advisers and would mandate partial disclosures of advisers’ underlying service architecture.
Endnotes
1Outsourcing by Investment Advisers, Advisers Act Release No. 6,176 (Oct. 26, 2022), File No. S7-25-22, https://www.sec.gov/rules/proposed/2022/ia-6176.pdf at 22-24 (“Proposing Release”).(go back)
2See Proposing Release at 96.(go back)
3See proposed Rule 206(4)-11(b) from Proposing Release at 22-23, 226-27.(go back)
4See Proposing Release at 74(go back)
5See proposed Rule 206(4)-11(b) in Proposing Release at 226-27. A supervised person is defined in section 2(a)(25) of the Advisers Act as any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an adviser, or other person who provides investment advice on behalf of the adviser and is subject to the supervision and control of the adviser. 15 U.S.C. § 80b-2(a)(25).(go back)
6Other regulators have put in place parallel processes requiring diligence and oversight over third party service providers intended to minimize service disruptions. The National Futures Association (“NFA”) requires Member to “adopt a written supervisory framework relating to outsourcing functions to a Third-Party Service Provider that is tailored to a Member’s specific needs and business.” See NFA’s Interpretive Notice 9079, NFA’s Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers, (Board of Directors, Feb. 18, 2021; effective Sept. 30, 2021), available at https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079. Broker-dealers, likewise, have similar duties to monitor service providers under FINRA Rule 3110 (Supervision) and FINRA Rule 3120 (Supervisory Control System). See FINRA Rules 3110-20; see also FINRA Regulatory Notice 21-29, (2021), available at https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf.(go back)
7See Proposing Release at 40.(go back)
8See proposed Rule 206(4)-11(a)(1)(i)–(vi) in Proposing Release at 226-27.(go back)
9These proposals could require an adviser to disclose and conduct diligence on its related fund-entities’ outside service providers, particularly if the adviser retains and has control over how those funds choose their providers. The SEC has solicited comments asking whether it should clarify, define, or explicitly exclude such arrangements from scope of these proposed changes. See Proposing Release at 35-38.(go back)