On October 26, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed a new rule under the Investment Advisers Act of 1940 (“Advisers Act”) imposing due diligence, recordkeeping and reporting obligations on registered investment advisers (“RIAs”) who outsource certain key “covered functions” of the adviser’s business to third parties, including affiliates. The Proposal represents another step toward more substantive regulation of RIAs by the SEC under Chairman Gensler, and will impose real costs and operational risk on RIAs.
The Proposal does not change the fact that advisers cannot—either currently or under the Proposal—“outsource” the fiduciary duties they owe to their clients. Indeed, two of the SEC’s commissioners pointed to this fact while dissenting from the proposal.[1] They questioned the utility of the additional specific requirements for RIAs, and expressed their doubt as to whether adding these requirements would do anything to further the protection of advisers’ clients. Beyond that question of policy, the practical impacts resemble those of other rule proposals from this SEC—substantive requirements and disclosures that will help identify examination and investigation subjects for the SEC Staff and increase the stakes for advisers that engage in particular activities of concern to the Staff, in this case outsourcing.
Covered Function Definition
The Proposal would apply to RIAs that outsource a “covered function,” defined as one that: “(1) is necessary to provide advisory services in compliance with the Federal securities laws, and (2) if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.” Both elements must be met for an outsourced function to be captured. Clerical, ministerial, utility and general office functions would be excluded from the definition, but RIAs would need to make judgments as to the contours of the definition. The proposing release included some guidance on the kinds of functions that would be captured.
First, functions or services “related to an adviser’s investment decision-making process and portfolio management” would be “necessary to provide advisory services in compliance with the Federal securities laws.”[2] This could include customized indexes, artificial intelligence or software services if used to generate and provide investment advice, but would not include functions performed by marketers and solicitors, as such services are not used by an adviser to provide investment advice.[3] This would also include compliance functions, including outsourced Chief Compliance Officers, and appointing subadvisers.
Second, advisers should consider a “variety of factors” when determining what would be “reasonably likely to cause a material negative impact (financial or otherwise) on the adviser’s clients or on the adviser’s ability to provide investment advisory services,” including the adviser’s day-to-day operational reliance on the service provider, the existence of a robust internal backup process at the adviser, and whether the service provider is making or maintaining critical records.[4]
The Proposal also contains amendments to Form ADV (discussed further below) that require RIAs to identify several “potential covered function categories,” including:
- Adviser / Subadviser;
- Client Services;
- Cybersecurity;
- Investment Guideline / Restriction Compliance;
- Investment Risk;
- Portfolio Management (excluding Adviser / Subadviser);
- Portfolio Accounting;
- Pricing; Reconciliation;
- Regulatory Compliance;
- Trading Desk;
- Trade Communication and Allocation; and
- Valuation.
While these categories may be helpful to advisers in considering what activities would constitute “covered functions,” whether an activity fits within one of these categories is not determinative. Advisers would need to consider each function that is outsourced and determine whether it meets the definition of “covered function.”
Service Provider Definition
The Proposal defines a service provider as “a person or entity that: (1) performs one or more covered functions; and (2) is not a supervised person of the adviser.” Supervised persons include partners, officers, directors, and employees of an adviser, as well as others who provide investment advice on behalf of the adviser and are subject to the adviser’s supervision and control. The SEC specifically considered and decided against excluding affiliates of an adviser from the Proposal, and as such, all of the Proposal’s requirements would apply when an RIA outsources to an affiliate. We expect significant comment on this aspect of the Proposal given the burdens associated with oversight of affiliates that we expect are operating under a common compliance program to the RIA.
Due Diligence
Under proposed rule 206(4)-11(a)(1), advisers who wish to outsource covered functions would need to perform reasonable due diligence to determine that it would be appropriate to outsource the function and to hire the particular service provider before the engagement.
The adviser’s diligence would be required to consider the following six specific elements:
- The nature and scope of the services;
- Potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks;
- The service provider’s competence, capacity, and resources necessary to perform the covered function;
- The service provider’s subcontracting arrangements related to the covered function;
- Coordination with the service provider for Federal securities law compliance; and
- The orderly termination of the provision of the covered function by the service provider.
Moreover, advisers would have to periodically monitor the service provider’s performance and reassess its determination to use the service provider under these elements. The frequency of monitoring would depend on factors including the materiality and criticality of the outsourced function to the adviser’s business, and the SEC has requested comment on the question of whether the frequency of monitoring should be explicitly prescribed in the rule.
The Proposal would also amend Advisors Act Rule 204-2 to include additional books and records requirements relating to this diligence, including a list or records of covered functions the adviser has outsourced, copies of written agreements with service providers, records documenting the adviser’s due diligence, and periodic monitoring of the service provider. These records would need to be maintained until five years after a relationship with a service provider has ended.
In a departure from recent rule proposals, the Proposal does not explicitly require advisers to adopt new policies and procedures related to service provider oversight. However, this is a distinction without a difference because the Proposal reminds advisers that Rule 206(4)-7 requires advisers to have policies and procedures reasonably designed to prevent violations of the Advisers Act and rules under the Act, which would apply to the Proposal.
Third Party Recordkeepers
The Proposal also imposes an oversight requirement for RIAs who hire third parties to make or keep any books and records required by the recordkeeping rule, to ensure that the service provider keeps the adviser’s books and records in the same manner that the adviser would be required to do. In addition to needing to conduct the same due diligence and periodic monitoring of the service provider as any other service provider, the adviser must obtain reasonable assurances from the recordkeeping service provider that it will meet four standards: (i) implement an internal recordkeeping system that complies with the Advisers Act recordkeeping rule; (ii) make and keep all records applicable to the adviser; (iii) for electronic records, make it easily accessible to the adviser and SEC; and (iv) make arrangements to ensure continued availability of records even if the relationship with the adviser terminates.
These oversight requirements are not just for service providers whose functions include recordkeeping, such as a cloud service provider or an outsourced accounting department. The Proposal states that this will apply to outsourced functions that “perform a function that creates records.” For example, a third party that assists with calculating rates of return on its portfolio would be considered a third party recordkeeper and would need to comply with these new requirements, as it is creating new records each time it generates performance data.
This may cause a wide range of service providers to become third party recordkeepers for which advisers would have to maintain these new oversight requirements.
Form ADV Updates
The new reporting mechanism for covered functions would be part of Item 7 of Form ADV. A new Item 7.C. would require advisers to disclose if they outsourced any covered functions to a service provider, along with information about each such service provider. The amended Form would also require advisers to select one of the categories discussed above (or a box for “other”) for each covered function.
Comment Period and Compliance Date
The comment period for the Proposal is the later of December 27, 2022, or 30 days after publication in the Federal Register. If adopted, advisers must comply within ten months from the rule’s effective date (the “compliance date”). The Proposal, if adopted, would apply to any new service providers hired on or after the compliance date, and the periodic monitoring requirements of existing service providers would begin as of the compliance date.
[1] See Public Statement by Commissioner Hester M. Peirce, Outsourcing Fiduciary Duty to the Commission: Statement on Proposed Outsourcing by Investment Advisers (Oct. 26, 2022); Public Statement by Commissioner Mark T. Uyeda, Statement on Proposed Rule Regarding Outsourcing by Investment Advisers (Oct. 26, 2022).
[2] Outsourcing by Investment Advisers, SEC Release No. IA-6176 (“Proposing Release”), 22.
[3] Proposing Release at 22-24.
[4] Proposing Release at 24.