On October 26, 2022, the Securities and Exchange Commission (SEC) issued a new rule proposal that would prohibit registered investment advisers (IAs) from outsourcing certain services without satisfying due diligence, monitoring and reassessment requirements.
- Timing – comments on the proposal must be provided to the SEC by the later of the date that is 30 days after the date the proposal is published in the Federal Register or December 27, 2022.
- Rationale – since the adoption of the Investment Advisers Act of 1940, IAs have faced ever-more complex client demands and increasing cost pressures, necessitating the use of third-party service providers. Although these service providers create efficiencies, IAs still owe fiduciary duties to their clients and cannot “set it and forget it” when it comes to outsourcing.
- Scope of application – the proposal applies to all IAs who retain a service provider to perform a covered function.
- Objective – the proposal seeks to impose formal requirements for the due diligence, recordkeeping and ongoing monitoring of those service providers who provide “covered functions.”
- Definition of “covered functions” – broadly, a “covered function” would include any service or function that is necessary to provide advisory services in compliance with federal law and that would likely cause harm to clients if such function or service was negligently provided.
While this would generally exclude clerical, ministerial, utility or general office functions, the SEC noted that it would cover subadvisory services, recordkeeping, portfolio management, compliance and valuations services, among others.
- Due diligence – before engaging any service provider who provides a covered function, an IA will be required to conduct due diligence on the service provider. As part of that process, the IA would need to examine: (i) the risks that flow from the covered function and the service provider, and methods of mitigating such risks; (ii) the service provider’s experience and capacity to handle the function; (iii) material subcontracting arrangements; (iv) how best to coordinate with the service provider on securities law compliance matters; and (vi) orderly termination of service.
- Monitoring and reassessment – the proposed rule would also require the IA periodically to monitor the service provider’s performance and reassess the selection of the service provider on a reasonable basis and in accordance with the due diligence requirements.
- Compliance records – both the due diligence and reassessment process would need to be memorialized and retained for five years. These records would need to reflect a list of outsourced covered functions, the names of service providers and the factors that led to the outsourcing. In addition, the IA would need to identify risks and outline mitigation and management efforts.
In addition to the foregoing, IAs would need to receive assurances from third-party recordkeepers that they will meet four standards: (i) the recordkeeper has internal processes and systems for keeping records in a manner that is consistent with applicable recordkeeping rules; (ii) the recordkeeper will maintain records in a manner that is consistent with applicable recordkeeping rules; (iii) the recordkeeper will allow both the IA and the SEC to access the records; and (iv) arrangements will be made to ensure continued availability of records in the event the services are terminated.
- Form ADV changes – IAs will be required to publicly disclose information about the service providers that provide covered functions on an SEC Form ADV.
- Recommended actions – IAs should begin reviewing their existing outsourcing arrangements and determine which arrangements would be considered covered functions under the proposed rule. Pursuant to the language of the proposal, these would generally include recordkeeping services, outsourced compliance officers, research and analytics, indexing, cyber and data security and roboadvisory services, though other services may be considered “covered functions.”
- Outsourcing agreement – IAs will be able to satisfy recordkeeping requirements, in part, through the terms of their contract. Although existing service provider agreements likely have many of the terms that would satisfy the proposed rule, IAs should consider what, if any, additional terms need to be added to existing and standard form service provider contracts. These terms should include:
- a representation that the services provided are covered functions;
- service provider and material subcontractor audit rights;
- representations regarding the adequacy of the service provider’s policies and procedures with respect to federal securities laws;
- representations regarding the service provider’s and its material subcontractor’s risk management and mitigation processes;
- covenants to cooperate with and assist the IA in compliance with its fiduciary obligations and federal securities laws;
- limitations on the use of subcontractors in providing material services connected to covered functions;
- service level agreements and system testing requirements;
- business continuity and disaster recovery provisions, including substitute and/or successor arrangements and transition services;
- notice requirements regarding material incidents that take place at the subcontractor that may cause failure to perform a covered function;
- required notice provisions in the event the service provider terminates the agreement;
- termination rights in the event the IA is unable to monitor the service provider in accordance with the proposal; and
- for recordkeeping services, record access for both the IA and SEC as well as record retention and access post-termination and/or record transfer processes.
- Recordkeeping arrangements – IAs should pay particular attention to their recordkeeping arrangements. In light of the recent actions by the SEC regarding retaining records of communications between employees, IAs should begin reviewing their recordkeeping contracts to determine whether provisions address the service provider’s compliance with recordkeeping rules, access to records by both the SEC and the IA, and the availability of records after termination.
- Outsourcing policy and procedure – IAs should also consider what changes may be needed in their outsourcing policies and procedures to implement due diligence, monitoring and recordkeeping requirements under the proposed rule.
- What we can do for you – we can help you prepare for the SEC’s outsourcing proposal. This will involve assessing existing outsourcing services to determine whether they are covered functions and updating the underlying contracts, as necessary. It is also a good opportunity to refresh any obsolete or stale outsourcing policies and procedures.
We have extensive experience in this area, having negotiated thousands of outsourcing contracts under a variety of global regulatory regimes, while maintaining rigorous standards and positive vendor relationships.
Please let us know if you would like to provide any comments to the SEC on the proposed rules and/or discuss your outsourcing relationships further.