Proposed Rule2022-23694
Outsourcing by Investment Advisers
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 16, 2022
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission" or "SEC") is proposing a new rule under the Investment Advisers Act of 1940 ("Advisers Act") to prohibit registered investment advisers ("advisers") from outsourcing certain services or functions without first meeting minimum requirements. The proposed rule would require advisers to conduct due diligence prior to engaging a service provider to perform certain services or functions. It would further require advisers to periodically monitor the performance and reassess the retention of the service provider in accordance with due diligence requirements to reasonably determine that it is appropriate to continue to outsource those services or functions to that service provider. We also are proposing corresponding amendments to the investment adviser registration form to collect census-type information about the service providers defined in the proposed rule. In addition, we are proposing related amendments to the Advisers Act books and records rule, including a new provision requiring advisers that rely on a third party to make and/or keep books and records to conduct due diligence and monitoring of that third party and obtain certain reasonable assurances that the third party will meet certain standards.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 220 (Wednesday, November 16, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 220 (Wednesday, November 16, 2022)]
[Proposed Rules]
[Pages 68816-68883]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-23694]
[[Page 68815]]
Vol. 87
Wednesday,
No. 220
November 16, 2022
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 275, and 279
Outsourcing by Investment Advisers; Proposed Rule
��Federal Register / Vol. 87 , No. 220 / Wednesday, November 16, 2022 /
Proposed Rules��
[[Page 68816]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 275, and 279
[Release Nos. IA-6176; File No. S7-25-22]
RIN 3235-AN18
Outsourcing by Investment Advisers
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing a new rule under the Investment Advisers Act of
1940 (``Advisers Act'') to prohibit registered investment advisers
(``advisers'') from outsourcing certain services or functions without
first meeting minimum requirements. The proposed rule would require
advisers to conduct due diligence prior to engaging a service provider
to perform certain services or functions. It would further require
advisers to periodically monitor the performance and reassess the
retention of the service provider in accordance with due diligence
requirements to reasonably determine that it is appropriate to continue
to outsource those services or functions to that service provider. We
also are proposing corresponding amendments to the investment adviser
registration form to collect census-type information about the service
providers defined in the proposed rule. In addition, we are proposing
related amendments to the Advisers Act books and records rule,
including a new provision requiring advisers that rely on a third party
to make and/or keep books and records to conduct due diligence and
monitoring of that third party and obtain certain reasonable assurances
that the third party will meet certain standards.
DATES: Comments should be received on or before December 27, 2022.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/submitcomments.htm">http://www.sec.gov/rules/submitcomments.htm</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#740601181159171b1919111a0007340711175a131b02"><span class="__cf_email__" data-cfemail="f486819891d9979b9999919a8087b4879197da939b82">[email protected]</span></a>. Please include
File Number S7-25-22 on the subject line.
Paper Comments
<bullet> Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-25-22. The file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="http://www.sec.gov/rules/proposed.shtml">http://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change. Persons submitting comments are cautioned that
the Commission does not edit personal identifying information from
submissions. You should submit only information that you wish to make
available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Christopher Chase, Senior Counsel;
Christian Corkery, Senior Counsel; Juliet Han, Senior Counsel; Mark
Stewart, Senior Counsel; Jennifer Porter, Senior Special Counsel; Holly
Miller, Senior Financial Analyst; Melissa Roverts Harke, Assistant
Director, Investment Adviser Regulation Office, Division of Investment
Management, at (202) 551-6787, Securities and Exchange Commission, 100
F Street NE, Washington, DC 20549-8549.
SUPPLEMENTARY INFORMATION: The Commission is proposing for public
comment 17 CFR 275.206(4)-11 (``proposed rule 206(4)-11'') under the
Advisers Act [15 U.S.C. 80b-1 et seq.]; and amendments to 17 CFR
275.204-2 (rule 204-2) and Form ADV [17 CFR 279.1] under the Advisers
Act.\1\
---------------------------------------------------------------------------
\1\ Unless otherwise noted, when we refer to the Advisers Act,
we are referring to 15 U.S.C. 80b, and when we refer to rules under
the Advisers Act, we are referring to title 17, part 275 of the Code
of Federal Regulations [17 CFR 275]. In addition, unless otherwise
noted, when we refer to the Investment Company Act, we are referring
to 15 U.S.C. 80a.
---------------------------------------------------------------------------
Table of Contents
I. Introduction
A. Background
B. Overview of Rule Proposal
II. Discussion
A. Scope
1. Covered Function
2. Service Provider
3. Recordkeeping of Covered Functions
B. Due Diligence
1. Nature and Scope of Covered Function
2. Risk Analysis, Mitigation, and Management
3. Competence, Capacity, Resources
4. Subcontracting Arrangements
5. Compliance Coordination
6. Orderly Termination
7. Recordkeeping Provisions Related to Due Diligence
C. Monitoring
1. Recordkeeping Provisions Related to Monitoring
D. Form ADV
E. Third-Party Recordkeeping
F. Existing Staff No-Action Letters and Staff Statements
G. Transition and Compliance
III. Economic Analysis
A. Introduction
B. Baseline
1. Affected Parties
2. Adviser Use of Service Providers
3. Applicable Law Impacting Use of Service Providers
C. Broad Economic Considerations
D. Benefits and Costs
1. Due Diligence
2. Monitoring
3. Recordkeeping
4. Form ADV
E. Effects on Efficiency, Competition, and Capital Formation
1. Efficiency
2. Competition
3. Capital Formation
F. Reasonable Alternatives
1. Alternatives to the Proposed Scope
2. Alternatives to the Proposed Due Diligence and Monitoring
Requirements
3. Alternatives to the Proposed Amendments to the Books and
Records Rule
4. Alternatives to the Form ADV Requirements
5. Alternatives to the Transition and Compliance Period
G. Request for Comment
IV. Paperwork Reduction Act Analysis
A. Introduction
B. Rule 204-2
C. Form ADV
D. Request for Comment
V. Initial Regulatory Flexibility Act Analysis
A. Reason For and Objectives of the Proposed Action
1. Proposed Rule 206(4)-11
2. Proposed Amendments to Rule 204-2
3. Proposed Amendments to Form ADV
B. Legal Basis
C. Small Entities Subject to the Rules and Rule Amendments
1. Small Entities Subject to Proposed Rule 206(4)-11 and
Proposed Amendments to Rule 204-2 and Form ADV
D. Projected Reporting, Recordkeeping and Other Compliance
Requirements
1. Proposed Rule 206(4)-11
2. Proposed Amendments to Rule 204-2
[[Page 68817]]
3. Proposed Amendments to Form ADV
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 206(4)-11
2. Proposed Amendments to Rule 204-2
3. Proposed Amendments to Form ADV
F. Significant Alternatives
1. Proposed Rules 206(4)-11 and 204-2
2. Proposed Amendments to Form ADV
G. Solicitation of Comments
VI. Consideration of Impact on the Economy
VII. Statutory Authority
I. Introduction
A. Background
The asset management industry has evolved greatly since Congress
adopted the Investment Advisers Act of 1940 (``Advisers Act'' or
``Act''). For instance, many advisers now seek to provide full service
wealth management and financial planning (e.g., tax, retirement,
estate, education, and insurance), and they use electronic systems to
provide those services and keep their records.\2\ Clients and investors
also are seeking to invest in types of securities and other assets that
were not commonly traded or did not exist at that time, including, for
example, derivatives and exchange-traded funds.\3\ At the same time,
fee pressures for advisers have increased.\4\ As a result, advisers are
under pressure to meet evolving and increasingly complex client demands
in a cost-effective way.\5\ The demand for advisory services has grown
as well.\6\ For example, regulatory assets under management (``RAUM'')
have increased from $47 trillion to $128 trillion over the past 10
years; while RAUM managed for non-high net worth advisory clients have
increased from approximately $3.7 trillion to approximately $7
trillion.\7\
---------------------------------------------------------------------------
\2\ See Financial Advisers Now Help with College Plans, Family
Counseling, Cremains, The Wall Street Journal (Aug. 23, 2019),
available at <a href="https://www.wsj.com/articles/financial-advisers-now-help-with-college-plans-family-counseling-cremains-11566558002">https://www.wsj.com/articles/financial-advisers-now-help-with-college-plans-family-counseling-cremains-11566558002</a>;
Beyond Finances: Holistic Life Planning Trends Among Advisors,
Investment News (2020), available at <a href="https://www.investmentnews.com/beyond-finances-holistic-life-planning-trends-among-advisors">https://www.investmentnews.com/beyond-finances-holistic-life-planning-trends-among-advisors</a>.
\3\ See Young, Confident, Digitally Connected--Meet America's
New Day Traders, Reuters (Feb. 2, 2021), available at <a href="https://www.reuters.com/article/us-retail-trading-investors-age/young-confident-digitally-connected-meet-americas-new-day-traders-idUSKBN2A21GW">https://www.reuters.com/article/us-retail-trading-investors-age/young-confident-digitally-connected-meet-americas-new-day-traders-idUSKBN2A21GW</a>; College Students Are Buying Stocks--But Do They Know
What They're Doing?, CNBC (Aug. 4, 2020), available at <a href="https://www.cnbc.com/2020/08/04/college-students-are-buying-stocks-but-do-they-know-what-theyre-doing.html">https://www.cnbc.com/2020/08/04/college-students-are-buying-stocks-but-do-they-know-what-theyre-doing.html</a>.
\4\ See, e.g., Adviser Industry Fee Pressures in Focus,
Planadviser (Feb. 4, 2022), available at <a href="https://www.planadviser.com/exclusives/adviser-industry-fee-pressures-focus/">https://www.planadviser.com/exclusives/adviser-industry-fee-pressures-focus/</a>
(stating that fee compression has impacted adviser revenue models in
recent years due to increasing automation, stiffer competition and
ongoing industry consolidation); CaseyQuirk Remarks and Discussion,
U.S. Securities and Exchange Commission Asset Management Advisory
Committee (Jan. 14, 2020), available at <a href="https://www.sec.gov/files/BenPhillips-CaseyQuirk-Deloitte.pdf">https://www.sec.gov/files/BenPhillips-CaseyQuirk-Deloitte.pdf</a> (stating that buyers are
becoming more fee-sensitive and showing an annualized reduction in
global effective fees between 2015 and 2018).
\5\ A recent survey indicated that advisers are reducing their
own expenses in response to fee compression, with 52% of surveyed
respondents planning to reduce expense ratios on some products. C-
Suite Asset Management Survey, Brown Brothers Harriman & Co. (2020),
at 6 (``C-Suite Asset Management Survey''), available at <a href="https://www.bbh.com/content/dam/bbh/external/www/investor-services/insights/c-suite-asset-manager-survey/C-Suite%20Asset%20Manager%20Survey%20PDF_data.pdf">https://www.bbh.com/content/dam/bbh/external/www/investor-services/insights/c-suite-asset-manager-survey/C-Suite%20Asset%20Manager%20Survey%20PDF_data.pdf</a> (finding more than
half of respondent asset managers are planning to reduce expense
ratios or fees in the following year). See also Fees Were Already
Under Pressure. Then the Pandemic Hit, Institutional Investor (Dec.
8, 2020), available at <a href="https://www.institutionalinvestor.com/article/b1plj6z9wsv5nf/Fees-Were-Already-Under-Pressure-Then-the-Pandemic-Hit">https://www.institutionalinvestor.com/article/b1plj6z9wsv5nf/Fees-Were-Already-Under-Pressure-Then-the-Pandemic-Hit</a>.
\6\ See AWM: From `A Brave New World' to a New Normal, PwC
(2020), at 6, available at <a href="https://www.pwc.lu/en/asset-management/awm-from-a-brave-new-world-to-a-new-normal.html">https://www.pwc.lu/en/asset-management/awm-from-a-brave-new-world-to-a-new-normal.html</a> (calculating
worldwide assets under management in 2019 as $110.9 trillion,
including a 9% compound annual growth rate since 2015).
\7\ Registered investment advisers report $7.096 trillion in
RAUM for non-high net worth advisory clients, based on analysis of
data reported on Form ADV through the Investment Adviser
Registration Depository (IARD) system as of April 30, 2022. The data
consists of assets that are reported by both advisers and sub-
advisers, including mutual fund and ETF assets. Prior to the October
2017 changes to Form ADV, clients and client RAUM were estimated
based on the midpoint of ranges reported.
---------------------------------------------------------------------------
Many advisers are adapting to the changes discussed above by
engaging service providers to perform certain functions
(``outsourcing'').\8\ In some cases, service providers may support the
investment adviser's advisory services and processes. Supporting
functions may include, for example, investment research and data
analytics, trading and risk management, and compliance. In other cases,
advisers hire service providers to perform or assist with functions
that support middle- and back-office functions essential to asset
management (e.g., collateral management, settlement services, pricing
or valuation services, and performance measurement). Additionally,
investment advisers have engaged service providers to perform
activities that form a central part of their advisory services.\9\
Advisers increasingly have engaged index providers to develop bespoke
indexes that an adviser may replicate or track in portfolios for its
clients, advisers engage subadvisers to manage some or all of a
client's portfolio, and advisers use third parties to provide
technology platforms for offering robo-advisory services.
---------------------------------------------------------------------------
\8\ See, e.g., The Race to Scalability 2020: Current Insights
from a Decade of Advisor Research on Investment Management Trends,
Flexshares (2020), available at <a href="https://go.flexshares.com/outsourcing">https://go.flexshares.com/outsourcing</a>; Christopher Newman, Asset Managers Continue to
Outsource Middle Office Functions, EisnerAmper (Oct. 21, 2020),
available at <a href="https://www.eisneramper.com/asset-managers-outsource-ai-blog-1020/">https://www.eisneramper.com/asset-managers-outsource-ai-blog-1020/</a>.
\9\ See Smart Outsourcing Can Be a Game-Changer for RIAs,
ThinkAdvisor (Mar. 18, 2021), available at <a href="https://www.thinkadvisor.com/2021/03/18/smart-outsourcing-can-be-a-game-changer-for-rias/">https://www.thinkadvisor.com/2021/03/18/smart-outsourcing-can-be-a-game-changer-for-rias/</a> (describing benefits to registered investment
advisers of using service providers, including outsourcing
management of individual portfolios and possibility of ``keep[ing]
some core functions in-house and outsourc[ing] others'').
---------------------------------------------------------------------------
Service providers may give the adviser or the adviser's clients
access to certain specializations or areas of expertise, reduce risks
of keeping a function in-house that the adviser is not equipped to
perform, or otherwise offer efficiencies that are unavailable to or
unachievable by an adviser alone. Use of service providers can provide
staffing flexibility by reducing the burdens on advisers' existing
personnel and may mitigate the need to hire new personnel (which
generally entails hiring and onboarding costs in addition to salaries
and benefits). This flexibility may be particularly useful for services
that the adviser uses on a periodic or ad hoc basis but may not need or
wish to dedicate permanent staffing. Advisers with few personnel in
particular may find benefits by allowing service providers to handle
tasks that would otherwise be time-consuming or costly given the lack
of economies of scale. Engaging a service provider also may prove
efficient because it allows an adviser to allocate specific duties to a
single service provider, rather than relying on multiple internal
personnel to complete a function. Clients also can benefit from
outsourcing, including through better quality of service, lower fees
(if the adviser passes along any cost savings), or some combination.
There is a risk that clients could be significantly harmed,
however, when an adviser outsources to a service provider a function
that is necessary for the provision of advisory services without
appropriate adviser oversight. The risk is in addition to any risks
that would exist from the adviser providing these functions and should
be managed. For example, a significant disruption or interruption to an
adviser's outsourced services could affect an adviser's ability to
provide its services to its clients. Outsourcing a service also
presents a conflict of interest between an adviser providing a
sufficient amount of oversight versus the costs of providing that
oversight or the cost of the adviser providing the function itself.
Poor oversight could lead to financial losses for the adviser's
clients, including through market losses and as a result of
[[Page 68818]]
increased transaction costs or the loss of investment opportunities.
Excessive oversight can result in costs to the adviser, and potentially
its clients, that outweigh the intended benefits. Outsourcing also has
the potential to defraud, mislead or deceive clients. For example,
outsourcing necessary advisory functions could have a material negative
impact on clients, such as: inaccurate pricing and performance
information that advisory clients rely on to make decisions about
hiring and retaining the adviser and that advisers rely on to calculate
advisory fees; \10\ compliance gaps that enable fraudulent, deceptive
or manipulative activity by employees and agents of such service
providers to occur or continue unaddressed; \11\ or poor operational
management or risk measurement that leads to client losses. A service
provider's major technical difficulties could prevent the adviser from
executing an investment strategy or accessing an account. Additionally,
sensitive client information and data could be lost \12\ and used to
the client's detriment, or client holdings or trade order information
could be negligently maintained by a service provider and misused by
the service provider's employees or other market participants in
trading ahead or front-running activities. Clients also may be harmed
when a service provider has significant operations in a single
geographic region because weather events, power outages, geopolitical
events and public health events in that location raises concerns that
the service provider can continue to perform its functions during these
events.
---------------------------------------------------------------------------
\10\ See Armental, Maria, BNY Mellon to Pay $3 Million to
Resolve Massachusetts Probe Over Glitch, The Wall Street Journal
(Mar. 21, 2016), available at <a href="https://www.wsj.com/articles/bny-mellon-to-pay-3-million-to-resolve-massachusetts-probe-over-glitch-1458581998">https://www.wsj.com/articles/bny-mellon-to-pay-3-million-to-resolve-massachusetts-probe-over-glitch-1458581998</a>.
\11\ See In the Matter of Aegis Capital, LLC, Investment
Advisers Release No. 4054 (Mar. 30, 2015) (settled order) (failures
of an outsourced Chief Compliance Officer and the adviser's Chief
Operating Officer resulted in Form ADV filings that grossly
overstated the registrant's AUM and total number of clients).
\12\ See Tokar, Dylan et. al., Fund Administrator of Fortress,
Pimco and Others Suffers Data Breach Through Vendor, The Wall Street
Journal (Jul. 27, 2020), available at <a href="https://www.wsj.com/articles/fund-administrator-for-fortress-pimco-and-others-suffers-data-breach-through-vendor-11595857765">https://www.wsj.com/articles/fund-administrator-for-fortress-pimco-and-others-suffers-data-breach-through-vendor-11595857765</a>.
---------------------------------------------------------------------------
Risks related to a service provider's conflicts of interests also
may cause harm to an adviser's clients. There may be conflict of
interest risks when a service provider recommends or otherwise
highlights investments to advisory clients that the service provider
also owns or manages for others. In that circumstance, the service
provider has an incentive to influence investing behavior in a way that
benefits the service provider to the detriment of the adviser's
clients. For example, an index provider that holds an investment it
subsequently adds to its widely followed index has a conflict of
interest because it would directly benefit from creating or increasing
demand for that investment and clients could be harmed if the
investment does not perform as well as other investments the index
provider could have added instead.
The risks of harm may be particularly pronounced where services
that are necessary for the provision of advisory services are highly
technical or proprietary to the service provider, or where the services
require expertise or data the adviser lacks. For example, if an adviser
engages a service provider that uses proprietary technology to measure
portfolio risk or performance of client investments, the adviser likely
would not be able to replicate such measurements for its clients. If
such technology fails to provide accurate measurements, it would be
difficult for the adviser to detect such issues and manage the
portfolios or report performance for its clients without the adviser
having a plan in place for managing and mitigating the risks of such a
failure. The risks of harm are also heightened where the service
provider has further outsourced one or more necessary functions to
another service provider (possibly without the adviser's awareness or
influence), or where the service provider delivers some services from
locations outside of the United States, which introduces potential
oversight and regulatory gaps or oversight challenges. In each of these
cases, the disruption, interruption, or failures in the service
provider's services could affect the ability of every adviser using
that service provider to deliver advisory services to its clients or
otherwise meet its obligations, including under the Advisers Act or
other Federal securities laws.
The use of service providers could create broader market-wide
effects or systemic risks as well, particularly where the failure of a
single service provider would cause operational failures at multiple
advisers.\13\ For example, there could be concentration risks to the
extent that one service provider supplies several services to an
adviser or multiple service providers merge to become a single market
leader. Multiple regulated entities could use a common service
provider,\14\ particularly because service providers have become more
specialized in recent years,\15\ and for certain functions there may be
only a few entities offering relevant (often information technology-
dependent) services. If a large number of investment advisers and their
clients use a common service provider, operational risks could be
correspondingly concentrated, which could, in turn, lead to an
increased risk of broader market effects during times of market
instability. One example where the failure of a service provider had a
broad impact occurred when a corrupted software update to accounting
systems at a widely used fund accounting provider caused industry-wide
concern over the accuracy of fund values for several days.\16\ An
estimated 66 advisers and 1,200 funds were unable to obtain system-
generated net asset values (``NAVs'') for several days, suggesting that
an error in a system used by many advisers could disrupt entire
markets.\17\
---------------------------------------------------------------------------
\13\ See, e.g., The International Organization of Securities
Commissions (``IOSCO'') FR07/2021, Principles on Outsourcing: Final
Report (Oct. 2021), (``IOSCO Report''), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD687.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD687.pdf</a>. The IOSCO Report
cites examples of risks that could lead to systemic risk if multiple
entities use a common service provider including: (1) if the service
provider suddenly and unexpectedly becomes unable to perform
services that are material or critical to the business of a
significant number of regulated entities, each entity will be
similarly disabled, (2) a latent flaw in the design of a product or
service that multiple regulated entities rely upon may affect all
these users, (3) a vulnerability in application software that
multiple regulated entities rely upon may permit an intruder to
disable or corrupt the systems or data of some or all users, and (4)
if multiple regulated entities depend upon the same provider of
business continuity services (e.g., a common disaster recovery
site), a disruption that affects a large number of those entities
may reduce the capacity of the business continuity service.
\14\ Financial Stability Board, Regulatory and Supervisory
Issues Relating to Outsourcing Third Party Relationships: Discussion
Paper (Nov. 9, 2020), at 2 (``FSB Discussion Paper''), available at
<a href="https://www.fsb.org/wp-content/uploads/P091120.pdf">https://www.fsb.org/wp-content/uploads/P091120.pdf</a>.
\15\ The IOSCO Report, supra footnote 13.
\16\ See Armental, Maria, BNY Mellon to Pay $3 Million to
Resolve Massachusetts Probe Over Glitch, The Wall Street Journal
(Mar. 21, 2016), available at <a href="https://www.wsj.com/articles/bny-mellon-to-pay-3-million-to-resolve-massachusetts-probe-over-glitch-1458581998">https://www.wsj.com/articles/bny-mellon-to-pay-3-million-to-resolve-massachusetts-probe-over-glitch-1458581998</a>.
\17\ See id. See also, e.g., BlackRock: The monolith and the
markets, The Economist (Dec. 7, 2013), available at <a href="https://www.economist.com/briefing/2013/12/07/the-monolith-and-the-markets">https://www.economist.com/briefing/2013/12/07/the-monolith-and-the-markets</a>
(stating that 7% of the world's $225 trillion of financial assets
were supported by the same system and stating, ``If that much money
is being managed by people who all think with the same tools, it may
be managed by people all predisposed to the same mistakes.''); IOSCO
FR06/22, Operational resilience of trading venues and market
intermediaries during the COVID-19 pandemic & lessons for future
disruptions: Final Report, at 23 (July 2022), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD706.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD706.pdf</a> (stating that
disruption of outsourced services could lead to losses, such as
clients unable to access accounts or have orders executed during
market volatility).
---------------------------------------------------------------------------
[[Page 68819]]
Our observations underscore the risks associated with advisers
outsourcing functions to service providers. We have observed an
increase in such outsourcing and issues related to the outsourcing and
advisers' oversight. One recent example is an enforcement action for
alleged violations of section 206 of the Advisers Act against
investment advisers that used models and volatility guidelines from a
third-party subadviser without first confirming that they worked as
intended.\18\ In another recent action, an adviser allegedly failed to
oversee a third-party vendor that did not properly safeguard customers'
personal identifying information.\19\ Additionally, we are troubled
that the Commission staff have observed some advisers unable to provide
timely responses to examination and enforcement requests because of
outsourcing. In response to our staff's requests for documents, some
advisers have not provided the information necessary to demonstrate
compliance with the Advisers Act and its rules because of outsourcing.
For example, some advisers that use client relationship management
providers have asserted that they have complied with rule 204-3 because
brochure delivery is programmed into the providers' software, though
they cannot produce records to evidence that delivery took place.\20\
---------------------------------------------------------------------------
\18\ See In the Matter of Aegon USA Investment Management, LLC,
et al, Investment Advisers Act Release No. 4996 (Aug. 27, 2018)
(settled order).
\19\ See Morgan Stanley Smith Barney LLC, Investment Advisers
Act Release No. 6138 (Sept. 20, 2022) (settled order).
\20\ See 17 CFR 275.204-3
---------------------------------------------------------------------------
These observations illustrate that despite the existing legal
framework regarding the duties and obligations of investment advisers,
more needs to be done to protect clients and enhance oversight of
advisers' outsourced functions. An adviser has a fiduciary duty to its
clients. The Advisers Act establishes a federal fiduciary duty for
investment advisers that comprises a duty of loyalty and a duty of care
and is made enforceable by the antifraud provisions of the Advisers
Act.\21\ This combination of obligations has been characterized as
requiring the investment adviser to act in the best interests of its
client at all times.\22\
---------------------------------------------------------------------------
\21\ See Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S.
11, 17 (1979) (``Sec. 206 establishes federal fiduciary standards
to govern the conduct of investment advisers.'') (quotation marks
omitted); SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180,
191 (1963); Commission Interpretation Regarding Standard of Conduct
for Investment Advisers, Investment Advisers Act Release No. 5248
(June 5, 2019), at 6-8 [84 FR 33669 (July 12, 2019)] (``Standard of
Conduct Release'').
\22\ See SEC v. Tambone, 550 F.3d 106, 146 (1st Cir. 2008)
(``Section 206 imposes a fiduciary duty on investment advisers to
act at all times in the best interest of the fund . . .''); SEC v.
Moran, 944 F. Supp. 286, 297 (S.D.N.Y 1996) (``Investment advisers
are entrusted with the responsibility and duty to act in the best
interest of their clients.''). See also Standard of Conduct Release,
supra footnote 21, at 6-8 (discussing various interpretations of an
adviser's fiduciary duty spanning several decades).
---------------------------------------------------------------------------
When an investment adviser holds itself out to clients and
potential clients as providing advisory services, the adviser implies
that it remains responsible for the performance of those services and
will act in the best interest of the client in doing so.\23\
Outsourcing a particular function or service does not change an
adviser's obligations under the Advisers Act and the other Federal
securities laws. In addition, the adviser is typically responsible for
the advisory services through an agreement with the client that
represents or implies the adviser is performing all the functions
necessary to provide the advisory services. An adviser remains liable
for its obligations, including under the Advisers Act, the other
Federal securities laws and any contract entered into with the client,
even if the adviser outsources functions. In addition, an adviser
cannot waive its fiduciary duty. Accordingly, an adviser should be
overseeing outsourced functions to ensure the adviser's legal
obligations are continuing to be met despite the adviser not performing
those functions itself.
---------------------------------------------------------------------------
\23\ See Standard of Conduct Release, supra footnote 21
(discussing various interpretations of an adviser's fiduciary duty
spanning several decades). See also section 205(a)(2) of the
Advisers Act makes it unlawful for an SEC-registered adviser to
enter into or perform any investment advisory contract unless the
contract provides that no assignment of the contract shall be made
by the adviser without client consent.
---------------------------------------------------------------------------
As a fiduciary, an investment adviser cannot just ``set it and
forget it'' when outsourcing. In this regard, we are concerned that
outsourcing these necessary functions (defined as ``Covered Functions''
in proposed rule 206(4)-11) in particular, without further oversight by
the investment adviser, can undermine the adviser's provision of
services and compliance with the Federal securities laws, and can
directly harm clients. We also believe it is a deceptive sales practice
and contrary to the public interest and investor protection for an
investment adviser to hold itself out as an investment adviser, but
then outsource its functions that are necessary to its provision of
advisory services to its clients without taking appropriate steps to
ensure that the clients will be provided with the same protections that
the adviser must provide under its fiduciary duty and other obligations
under the Federal securities laws. We believe a reasonable investor
hiring an adviser to provide investment advisory services would expect
the adviser to provide those services and, if significant aspects of
those services are outsourced to a provider, to oversee those
outsourced functions effectively. To do otherwise would be misleading,
deceptive, and contrary to the public interest. Moreover, disclosure
cannot address this deception. We do not believe any reasonable
investor would agree to engage an investment adviser that will not
perform functions necessary to provide the advisory services for which
it is hired, and instead will outsource those functions to a service
provider without effective oversight over the service provider. An
adviser's use of service providers should include sufficient oversight
by an adviser so as to fulfill the adviser's fiduciary duty, comply
with the Federal securities laws, and protect clients from potential
harm.
Accordingly, in light of the increase in the use of service
providers, the services provided, and the risks of client harm
described above, we believe that a consistent oversight framework
across investment advisers is needed for outsourcing functions or
services that are necessary for the investment adviser to provide its
advisory services in compliance with the Federal securities laws.
Proposed new rule 206(4)-11 under the Advisers Act is designed to
address these issues by requiring investment advisers to comply with
specific elements as part of a due diligence and monitoring process to
oversee the provision of covered functions.
Given the increasing use of service providers by investment
advisers, we are also concerned that the Commission has limited
visibility into advisers' outsourcing and thus the potential extent to
which advisory clients face outsourcing-related risks. The Commission
currently collects only limited information about an adviser's use of
certain service providers through forms filed with the Commission, such
as third-party keepers of advisers' books and records and certain
service providers for private funds reported on Form ADV, or during
examinations conducted by Commission staff.\24\ If the Commission had
additional information about which service providers all registered
advisers are using that are necessary to perform their advisory
services, for example, it could quickly
[[Page 68820]]
analyze the potential breadth of the impact from a market event. In the
event of a critical failure at an asset management service provider,
the Commission would be able to identify quickly all advisers reporting
that firm on Form ADV as a service provider of one or more covered
functions, which can help inform the Commission's course of action.
---------------------------------------------------------------------------
\24\ See Form ADV Part 1A, Schedule D, Sections 1.L. and 7.B.1.
---------------------------------------------------------------------------
Finally, we are concerned that when an investment adviser
outsources its books and records obligations to a third party, the
adviser may not be properly ensuring that it can comply with the
Commission's recordkeeping requirements. Currently, rule 204-2 requires
advisers to make and keep specified records, including standards for
keeping those records electronically, but does not expressly impose
specific requirements when an adviser outsources recordkeeping
functions to a third party.\25\ We believe that specific conditions
should apply to all advisers using third parties to make and keep
records required by rule 204-2.
---------------------------------------------------------------------------
\25\ Commission staff addressed third party recordkeeping in two
staff letters. See OMGEO, LLC, SEC Staff No-Action Letter (Aug. 14,
2009), at n.3 (``OMGEO NAL''), available at <a href="https://www.sec.gov/divisions/investment/noaction/2009/omgeo081409.htm">https://www.sec.gov/divisions/investment/noaction/2009/omgeo081409.htm</a> (citing First
Call and National Regulatory Services, SEC Staff No-Action Letter
(Dec. 2, 1992)); First Call Corporation, SEC Staff No-Action Letter
(Sept. 6, 1995) (``First Call NAL''), available at <a href="https://www.sec.gov/divisions/investment/noaction/1995/firstcall090695.pdf">https://www.sec.gov/divisions/investment/noaction/1995/firstcall090695.pdf</a>.
The staff no-action letters represent the views of the staff of the
Division of Investment Management. They are not a rule, regulation,
or statement of the Commission. The Commission has neither approved
nor disapproved their content. The staff no-action letters, like all
staff statements, have no legal force or effect: they do not alter
or amend applicable law, and they create no new or additional
obligations for any person. See also infra section II.F.
---------------------------------------------------------------------------
B. Overview of Rule Proposal
The proposed rule would establish a set of minimum and consistent
due diligence and monitoring obligations for an investment adviser
outsourcing certain functions to a service provider. Proposed rule
206(4)-11 under the Advisers Act would apply to advisers that are
registered or required to be registered with us and that outsource a
covered function.\26\ The definition of a covered function has two
parts: (1) a function or service that is necessary for the adviser to
provide its investment advisory services in compliance with the Federal
securities laws, and (2) that, if not performed or performed
negligently, would be reasonably likely to cause a material negative
impact on the adviser's clients or on the adviser's ability to provide
investment advisory services.\27\ Clerical, ministerial, utility, or
general office functions or services are excluded from the
definition.\28\ Before engaging a service provider to perform a covered
function, the adviser would have to reasonably identify and determine
through due diligence that it would be appropriate to outsource the
covered function, and that it would be appropriate to select that
service provider, by complying with six specific elements. These
elements address:
---------------------------------------------------------------------------
\26\ Proposed rule 206(4)-11(a). The rule number assigned to the
proposed rule 206(4)-11 is based on the numbering for other rule
amendments the Commission previously proposed. See, e.g.,
Cybersecurity Risk Management for Investment Advisers, Registered
Investment Companies, and Business Development Companies, available
at <a href="https://www.sec.gov/rules/proposed/2022/33-11028.pdf">https://www.sec.gov/rules/proposed/2022/33-11028.pdf</a> (proposing
rule 206(4)-9 related to cybersecurity policies and procedures of
investment advisers); Private Fund Advisers: Documentation of
Registered Investment Adviser Compliance Reviews, available at
<a href="https://www.sec.gov/rules/proposed/2022/ia-5955.pdf">https://www.sec.gov/rules/proposed/2022/ia-5955.pdf</a> (proposing rule
206(4)-10 related to private fund adviser audits). This number could
change based on future Commission actions.
\27\ Proposed rule 206(4)-11(b).
\28\ Proposed rule 206(4)-11(b).
---------------------------------------------------------------------------
<bullet> The nature and scope of the services;
<bullet> Potential risks resulting from the service provider
performing the covered function, including how to mitigate and manage
such risks;
<bullet> The service provider's competence, capacity, and resources
necessary to perform the covered function;
<bullet> The service provider's subcontracting arrangements related
to the covered function;
<bullet> Coordination with the service provider for Federal
securities law compliance; and
<bullet> The orderly termination of the provision of the covered
function by the service provider.\29\
---------------------------------------------------------------------------
\29\ Proposed rule 206(4)-11(a)(1).
---------------------------------------------------------------------------
The proposed rule also would require the adviser periodically to
monitor the service provider's performance and reassess the selection
of such a service provider under the due diligence requirements of the
rule.\30\ Each of these elements is included in the rule to address
specific areas of risks and concerns that we have observed, as
described above. Although the proposed rule does not require additional
explicit written policies and procedures related to service provider
oversight, if the proposed rule were adopted, advisers would be
required under existing rule 206(4)-7 to have policies and procedures
reasonably designed to prevent violations of the Advisers Act and rules
under the Act, and this requirement would apply to the proposed rule.
---------------------------------------------------------------------------
\30\ Proposed rule 206(4)-11(a)(2).
---------------------------------------------------------------------------
In addition, we are proposing to require advisers to make and keep
certain books and records attendant to their obligations under the
proposed oversight framework, such as lists or records of covered
functions and records documenting their due diligence and monitoring of
each service provider.\31\ The requirement to make and keep such books
and records would help advisers monitor, and determine whether to
modify, their approach to outsourcing a particular function. These
records would also assist the Commission and its staff in evaluating
adviser representations about their services and the extent to which an
adviser complies with the rule.
---------------------------------------------------------------------------
\31\ See proposed rule 204-2(a)(24).
---------------------------------------------------------------------------
We are also proposing to add a new provision in the recordkeeping
rule requiring every investment adviser that relies on a third party to
make and/or keep books and records required by the recordkeeping rule
to conduct due diligence and monitoring of that third party consistent
with the requirements under proposed rule 206(4)-11 and obtain
reasonable assurances that the third party will meet four standards.
These standards address the third party's ability to: (i) adopt and
implement internal processes and/or systems for making and/or keeping
records that meet the requirements of the recordkeeping rule applicable
to the adviser in providing services to the adviser; (ii) make and/or
keep records that meet all of the requirements of the recordkeeping
rule applicable to the adviser; (iii) provide access to electronic
records; and (iv) ensure the continued availability of records if the
third party's operations or relationship with the adviser cease. The
requirements are intended to protect required records from loss,
alteration, or destruction and to help ensure that such records are
accessible to the investment adviser and the Commission staff while
allowing investment advisers to continue to contract with a wide
variety of service providers to assist with recordkeeping functions.
Finally, we are proposing amendments to Form ADV that are designed
to improve visibility for the Commission and advisory clients relating
to service providers that perform covered functions. New item 7.C. in
Part 1A and Section 7.C. in Schedule D would require advisers to
provide census-type information about these providers.\32\ These
disclosures would provide more information about outsourced functions,
enabling clients
[[Page 68821]]
to make better informed decisions about the retention of an adviser and
enabling the Commission and its staff to identify and address risks
related to outsourcing by advisers and oversee advisers' use of service
providers better.
---------------------------------------------------------------------------
\32\ Because Form ADV Part 1A is submitted in a structured, XML-
based data language specific to that Form, the information in
proposed new Item 7.C would be structured (i.e., machine-readable)
as well.
---------------------------------------------------------------------------
II. Discussion
A. Scope
Under proposed rule 206(4)-11, as a means reasonably designed to
prevent fraudulent, deceptive, or manipulative acts, practices, or
courses of business within the meaning of section 206(4) of the Act, it
would be unlawful for an investment adviser registered or required to
be registered with the Commission to retain a service provider to
perform a covered function unless the investment adviser conducts
certain due diligence and monitoring of the service provider.\33\ A
covered function is defined in the proposed rule as a function or
service that is necessary for the adviser to provide its investment
advisory services in compliance with the Federal securities laws, and
that, if not performed or performed negligently, would be reasonably
likely to cause a material negative impact on the adviser's clients or
on the adviser's ability to provide investment advisory services.\34\
The proposed rule defines a service provider as a person or entity that
performs one or more covered functions and is not an adviser's
supervised person as defined in the Advisers Act.\35\ A covered
function would not include clerical, ministerial, utility, or general
office functions or services.\36\
---------------------------------------------------------------------------
\33\ See proposed rule 206(4)-11(a).
\34\ Proposed rule 206(4)-11(b).
\35\ Proposed rule 206(4)-11(b).
\36\ Proposed rule 206(4)-11(b).
---------------------------------------------------------------------------
1. Covered Function
We are proposing to define ``covered function'' more narrowly than
all of the functions an investment adviser might outsource to a service
provider. Advisers outsource many services beyond their core advisory
functions, and the failure of many of those functions could have little
to no effect on an adviser's clients. Accordingly, we are targeting
those outsourced functions that meet two elements: (1) those necessary
for the adviser to provide its investment advisory services in
compliance with the Federal securities laws; and (2) those that, if not
performed or performed negligently, would be reasonably likely to cause
a material negative impact on the adviser's clients or on the adviser's
ability to provide investment advisory services.\37\
---------------------------------------------------------------------------
\37\ See proposed rule 206(4)-11.
---------------------------------------------------------------------------
The proposed rule applies if an adviser retains a service provider
to perform a covered function, whether by a written agreement or by
some other means. The Commission is not specifying how an adviser might
retain a service provider to perform a covered function, but an adviser
should consider using a written agreement as a best practice. The
determination of whether an adviser has retained a service provider to
perform such a covered function would depend on the facts and
circumstances. For example, an adviser that enters into a written
agreement with a valuation provider to value all of its clients' fixed
income securities or with a subadviser to manage fixed income
portfolios for several of its clients would be considered to retain a
service provider under the proposed rule to perform a function that is
necessary for the adviser to provide its advisory services. In
contrast, custodians that are independently selected and retained
through a written agreement directly with the client would not be
covered by the proposed rule because the adviser is not retaining the
service provider to perform a function that is necessary for the
adviser to provide its advisory services.
The determination of what is a covered function also would depend
on the facts and circumstances, as the proposed rule is meant to
encompass functions or services that are necessary for a particular
adviser to provide its investment advisory services. In addition,
certain functions may be covered functions for one adviser but not for
another adviser, and so certain persons or entities that perform
functions on behalf of advisers may be a service provider in the scope
of the rule with respect to one adviser but not for another adviser. We
are providing examples of potential covered function categories an
adviser may wish to consider in the amendments we are proposing to Form
ADV, Section 7.C of Schedule D, which would include: Adviser/
Subadviser; Client Services; Cybersecurity; Investment Guideline/
Restriction Compliance; Investment Risk; Portfolio Management
(excluding Adviser/Subadviser); Portfolio Accounting; Pricing;
Reconciliation; Regulatory Compliance; Trading Desk; Trade
Communication and Allocation; and Valuation.
Advisers outsource functions that are essential to asset management
or directly support the adviser's advisory services and processes.
Depending on the specific facts and circumstances, when problems arise
with these types of functions, clients could experience a material
negative impact, such as interruptions in advisory services or the
adviser's inability or failure to comply with its legal
responsibilities. We believe an adviser should take specific oversight
steps required by the proposed rule to reduce the likelihood that these
types of problems will occur and to reduce their impact when they do
occur. In addition when an investment adviser holds itself out to
clients and potential clients as providing advisory services, the
adviser implies that it remains responsible for the performance of
those services and will act in the best interest of the client in doing
so. We believe it is contrary to the public interest and investor
protection if the adviser then outsources covered functions without
effectively overseeing those outsourced functions. Accordingly, an
adviser should be overseeing outsourced functions to ensure the
adviser's legal obligations are continuing to be met despite the
adviser not performing those functions itself.
Generally, we would consider functions or services that are related
to an adviser's investment decision-making process and portfolio
management to meet the first element of the definition. For example,
some functions and services covered under the first element would be
those related to providing investment guidelines (including maintaining
restricted trading lists), creating and providing models related to
investment advice, creating and providing custom indexes, providing
investment risk software or services, providing portfolio management or
trading services or software, providing portfolio accounting services,
and providing investment advisory services to an adviser or the
adviser's clients (subadvisory services).\38\ Covered functions can
[[Page 68822]]
include technology integral to an adviser's investment decision-making
process and portfolio management or other functions necessary for the
adviser to provide its investment advisory services. For example, if an
adviser's investment decision-making process relies on artificial
intelligence or software as a service, those services may form part of
the covered function even though they are provided through technology.
As discussed above, certain of these functions may be covered functions
for one adviser but not for another adviser, depending on the facts and
circumstances. For example, an adviser may choose to engage an index
provider for the purposes of developing an investment strategy for its
clients, which would be a covered function under the proposed rule,
while another may license a widely available index from an index
provider to use as a performance hurdle, in which case the proposed
rule would not apply. We believe that the services of an index
provider, if retained by an adviser for purposes of formulating the
adviser's investment advice, would meet the first element of the
definition of a covered function because such services would be
necessary for the adviser to provide investment advice to its client.
Implementing an investment decision also may meet this element,
including identifying which portfolios to include or exclude,
determining how to allocate a position among portfolios, and submitting
the final orders to the broker. In order to provide investment advisory
services in compliance with the Federal securities laws, an adviser
might also seek to outsource its compliance functions, including
outsourced chief compliance officers and other outsourced compliance
functions such as making regulatory filings on behalf of the adviser,
and valuation and pricing services.\39\ Ensuring the adviser complies
with the regulatory requirements applicable to its advisory services is
a necessary part of providing those services and would be covered under
the rule. We would not consider functions performed by marketers and
solicitors to be covered functions, however, because such services are
not used by an adviser to provide investment advice to its clients.\40\
---------------------------------------------------------------------------
\38\ These providers' activities, in whole or in part, may cause
them to meet the definition of ``investment adviser'' under the
Advisers Act. In a separate action, the Commission issued a request
for public comment related to the status and registration of certain
information providers, including index providers, model portfolio
providers, and pricing services, under the Advisers Act. See Request
for Comment on Certain Information Providers Acting as Investment
Advisers, Investment Advisers Release No. 6050 (Jun. 15, 2022) [87
FR 37254 (Jun. 22, 2022)] (``Information Providers Request for
Comment''), available at <a href="https://www.sec.gov/rules/other/2022/ia-6050.pdf">https://www.sec.gov/rules/other/2022/ia-6050.pdf</a>. The comment letters on the Information Providers Request
for Comment (File No. S7-18-22) are available at <a href="https://www.sec.gov/comments/s7-18-22/s71822.htm">https://www.sec.gov/comments/s7-18-22/s71822.htm</a> and we are continuing to
consider all of the comments received. Several commenters noted that
many advisers and fund boards oversee information providers and that
advisers are fiduciaries bearing the ultimate responsibility for
information providers' services. See, e.g., Comment Letter of ETF
BILD (Aug. 16, 2022); Comment Letter of Investment Advises
Association (Aug. 16, 2022); Comment Letter of Index Industry
Association (Aug. 16, 2022); Comment Letter of Invesco Ltd. (Aug.
16, 2022); Comment Letter of Investment Company Institute (Aug. 16,
2022) (``Comment Letter of ICI''); Comment Letter of Independent
Directors Council (Aug. 16, 2022); Comment Letter of NASDAQ (Aug.
16, 2022) (``Comment Letter of NASDAQ''); Comment Letter of S&P Dow
Jones Indices (Aug. 16, 2022); Comment Letter of S&P Global Market
Intelligence (Aug. 15, 2022); Comment Letter of the Securities
Industry and Financial Markets Association (Aug. 16, 2022)
(``Comment Letter of SIFMA''). Some commenters also suggested as an
alternative to regulating these information providers as investment
advisers, that the Commission consider regulating adviser oversight
of information providers. See, e.g., Comment Letter of Healthy
Markets Association and CFA Institute (Aug. 16, 2022); Comment
Letter of ICI; Comment Letter NASDAQ; Comment Letter of SIFMA.
\39\ For example, an adviser may use valuation service providers
to assist in fair value determinations. Such services would be
included under the proposed rule as covered functions, as opposed
to, for example, common market data providers providing publicly
available information.
\40\ Marketers and solicitors must determine whether they are
subject to statutory or regulatory requirements under Federal law,
including the requirement to register as a broker-dealer pursuant to
section 15(b) of the Securities Exchange Act of 1934. See 15 U.S.C.
78o(b).
---------------------------------------------------------------------------
The second element of the proposed definition of ``covered
function'' limits the definition to those functions or services that,
if not performed or performed negligently, would be reasonably likely
to cause a material negative impact on the adviser's clients or on the
adviser's ability to provide investment advisory services.\41\
Determining what is a material negative impact would depend on the
facts and circumstances, but it could include a material financial loss
to a client or a material disruption in the adviser's operations
resulting in the inability to effect investment decisions or to do so
accurately. An adviser should consider a variety of factors when
determining what would be reasonably likely to have a material negative
impact, such as the day-to-day operational reliance on the service
provider, the existence of a robust internal backup process at the
adviser, and whether the service provider is making or maintaining
critical records, among other things. For example, if an adviser used a
service provider for portfolio management functions that experienced a
cyber-incident that caused an inability for the adviser to monitor
risks in client portfolios properly, it would be reasonably likely to
cause a material negative impact on the adviser's clients and its
ability to provide investment advisory services.\42\
---------------------------------------------------------------------------
\41\ See proposed rule 206(4)-11(b).
\42\ See infra section II.B.4.
---------------------------------------------------------------------------
A covered function would not include clerical, ministerial,
utility, or general office functions or services.\43\ These types of
functions or services are not functions that an adviser would perform
on its own or they are not likely to qualify as a covered function
under the proposed rule because they are not necessary for an adviser
to provide investment advisory services in compliance with the Federal
securities laws or they are not likely to cause a material harm to
clients if not performed properly. For example, covered functions would
not include the adviser's lease of commercial office space or
equipment, use of public utility companies, utility or facility
maintenance services, or licensing of general software providers of
widely commercially available operating systems, word processing
systems, spreadsheets, or other similar off-the-shelf software.
---------------------------------------------------------------------------
\43\ Proposed rule 206(4)-11(b).
---------------------------------------------------------------------------
To illustrate how to apply the definition of a covered function, if
an adviser engaged an index provider to create or lease an index for
the adviser to follow as a strategy for its advisory clients, it would
likely fall under both elements of the definition. First, using a
bespoke index created specifically for the adviser to follow would
serve as a material service that is necessary for the adviser to
provide investment advisory services to the extent the index is used by
the adviser to provide investment advice and make investments on behalf
of the advisory client. Second, if the function is not performed or
performed negligently, it would have a material negative impact on the
adviser's ability to provide investment advisory services because if,
for instance, the service provider failed to provide the index, the
adviser would not be able to make investments for the client as needed.
Similarly, if an adviser licenses a commonly available index and its
stated investment strategy involves management against that index,
failure to receive the index or an inaccurate delivery of the index
could have a material negative impact on the adviser's ability to
manage that portfolio. In contrast, if an adviser purchases a license
to utilize a commonly available index solely as a comparison benchmark
for performance and not to inform the adviser's investment decisions as
part of its advisory services, that index provider would most likely
not be providing a covered function because, in that context, the
adviser is not using the index to provide investment advice.
2. Service Provider
An investment adviser would be required to comply with the proposed
rule if the adviser retains a service provider. The term ``service
provider'' is defined as a person or entity that: (1) performs one or
more covered functions; and (2) is not a supervised person of the
[[Page 68823]]
adviser.\44\ The proposed rule excludes supervised persons of an
adviser from the definition of a service provider since such persons
are already being directly overseen by the adviser.\45\ The proposed
rule does not, however, make a distinction between third-party
providers and affiliated service providers because the risks that the
proposed rule are designed to address exist whether the service
provider is affiliated or unaffiliated, and the service provider is not
necessarily already being overseen by the adviser. For example, the
ability to have direct control or full transparency may be limited when
an adviser outsources, even to an affiliated service provider, which
may increase the risk for failed regulatory compliance. As such, even
though the affiliate may be in a control relationship with the adviser,
it remains important for the adviser to determine if it is appropriate
to retain the affiliate's services and to oversee the affiliate's
performance of a covered function.
---------------------------------------------------------------------------
\44\ See proposed rule 206(4)-11(b).
\45\ See proposed rule 206(4)-11(b). A supervised person is
defined in section 2(a)(25) of the Advisers Act as any partner,
officer, director, (or other person occupying a similar status or
performing similar functions), or employee of an adviser, or other
person who provides investment advice on behalf of the adviser and
is subject to the supervision and control of the adviser.
---------------------------------------------------------------------------
The proposed rule would not include an exception for service
providers that are subject to other provisions of the Advisers Act,
including SEC-registered advisers, or other Federal securities laws. An
adviser remains liable for its legal and contractual obligations and
should be overseeing outsourced functions to ensure the adviser meets
its legal and contractual obligations, regardless of whether the
service provider has its own legal obligations under the Federal
securities laws. For example, if an adviser engages a broker-dealer to
provide an electronic trading platform to submit orders from the
adviser and allocate trades among the adviser's client accounts after
the trades have been executed, then the adviser's engagement of the
broker-dealer for those services would not be excepted from the
proposed rule. We believe providing orders to a broker-dealer and
allocating securities to client accounts after the trade are part of an
investment adviser's services and responsibilities that cannot be
outsourced without further oversight because, particularly in a
discretionary account, instructing a broker-dealer about the trades the
adviser is recommending and then allocating trades among client
accounts is a critical component of an adviser's provision of
investment advisory services. Additionally, we believe it would be
reasonable for a client to expect initial and continued adviser
oversight of that function, and the broker-dealer's failure to perform
or negligent performance of its covered function could be reasonably
likely to cause a material harm to the adviser's clients and its
ability to provide its advisory services. For example, without proper
oversight of this function, failing to perform the function could
result in an adviser being unable to submit orders or allocate trades.
A service provider performing asset allocations on behalf of the
adviser also might allocate shares in a manner that favors certain
clients over others or might fail to consider whether allocating
additional shares would violate a client' investment guidelines.
If an adviser engages an SEC-registered adviser as a subadviser to
manage and evaluate investments within a portfolio, then the adviser
would not be excepted from the proposed rule. Even if the subadviser
would be subject to its own compliance with the Federal securities
laws, the adviser remains responsible for its advisory services and
should perform its own due diligence and monitoring of the subadviser
to ensure its obligations continue to be met. Moreover, the adviser's
compliance with the proposed rule would not alleviate the subadviser's
own compliance with the Federal securities laws, including the proposed
rule. In the event that an SEC-registered subadviser were to hire a
service provider itself, for example to help manage and evaluate the
investments within a managed portfolio, the subadviser would be
required to comply with the proposed rule with respect to that service
provider. The subadviser would have the same obligations and duties to
its client as any other SEC-registered adviser, whether the
subadviser's client is another adviser or a client of another adviser,
and the subadviser should engage in the same oversight requirements as
any other adviser. All advisers registered or required to be registered
are subject to the proposed rule if they engage a service provider to
perform a covered function, regardless of the identities of their
clients or their relationships to other advisers.
3. Recordkeeping of Covered Functions
An adviser would first need to determine which functions are
covered functions in order to comply with the requirements of the
proposed rule. Accordingly, we are proposing to revise the Advisers Act
books and records rule to require an adviser to make and keep a list or
other record of covered functions that the adviser has outsourced to a
service provider and the name of each service provider, along with a
record of the factors, corresponding to each listed function, that led
the adviser to list it as a covered function.\46\
---------------------------------------------------------------------------
\46\ See proposed rule 204-2(a)(24)(i). The rule number assigned
to subparagraph (24) of the proposed amendments to rule 204-2(a) is
based on the numbering for other rule amendments the Commission
previously proposed. See e.g., Private Fund Advisers: Documentation
of Registered Investment Adviser Compliance Reviews, available at
<a href="https://www.sec.gov/rules/proposed/2022/ia-5955.pdf">https://www.sec.gov/rules/proposed/2022/ia-5955.pdf</a> (proposing rule
204-2(a)(20) to (23)). The proposed rule's subsection number could
change based on future Commission actions.
---------------------------------------------------------------------------
The recordkeeping requirement might be satisfied by a written
agreement between the adviser and service provider, explicitly stating
that the function or service provided is a covered function under the
proposed rule and the name of each service provider. The written
agreement could include the factors that led the function to be deemed
a covered function, or that information could be memorialized in a
separate record. Alternatively, there might be a written memorandum or
other document prepared by the adviser that lists the names of the
service providers; that explains how a particular function or service
is one that is deemed to be necessary to provide investment advisory
services in compliance with the Federal securities laws and that would
be reasonably likely to cause a material negative impact on the
adviser's clients or on the adviser's ability to provide investment
advisory services if not performed or performed negligently; and that
provides the factors that led the function to be deemed a covered
function. The adviser's written compliance policies also could identify
the covered functions and the factors considered for each, such as the
type of function or service provided or whether the adviser could
provide investment advisory services without the covered function.
The method by which the adviser meets this proposed requirement
(e.g., written agreement, memorandum to file, etc.) and the factors
relevant to the adviser's determination would likely vary depending on
each function or service for which an adviser engages a service
provider. Accordingly, we are not specifying any particular method for
making the list or record of factors to consider.\47\
---------------------------------------------------------------------------
\47\ See proposed rule 204-2(e)(1).
---------------------------------------------------------------------------
Due to the unique nature of an adviser's relationship with a
service provider, we are also proposing to revise the Advisers Act
books and records rule
[[Page 68824]]
to require that the records be maintained in an easily accessible place
throughout the time period that the adviser has outsourced a covered
function to a service provider, and for a period of five years
thereafter.\48\ This amendment would help facilitate the Commission's
inspection and enforcement capabilities.
---------------------------------------------------------------------------
\48\ See rule 204-2.
---------------------------------------------------------------------------
We request comment on the proposed scope of the rule:
1. Is the proposed scope of the rule appropriate? Why or why not?
In what ways, if any, could the proposed scope of the rule or the
proposed definition of covered function better match our policy goals?
Does it need to be made clearer?
2. Instead of oversight requirements when an adviser outsources a
covered function, should we only require Form ADV disclosure to clients
and potential clients of any outsourcing of certain functions? Would it
be sufficient for an adviser to disclose that it would outsource these
services and not oversee them and would any reasonable investor agree
to this approach? Or would a more limited approach to the oversight of
service providers be appropriate instead of the proposed requirements?
If so, what should that limited approach be?
3. In addition to the proposed oversight requirements when an
adviser outsources a covered function, should the rule include an
express provision that prohibits an adviser from disclaiming liability
when it is not performing a covered function itself?
4. Is the proposed definition of ``covered function'' clear? Why or
why not? In what ways, if any, could the proposed definition be made
clearer?
5. The proposed rule is designed to apply in the context of
outsourcing core advisory functions. The proposed rule does so by
qualitatively describing what we believe is a core advisory function--
namely, a function or service that is necessary for the investment
adviser to provide its investment advisory services in compliance with
the Federal securities laws. Does the proposed definition of covered
function capture this intended core advisory function scope? Should the
rule explicitly state that its application is limited to core
investment advisory services? If yes, how would we identify and define
what would be considered ``core investment advisory services''?
6. Instead of our proposed definition, should we define ``covered
functions'' as a specified list of core investment advisory activities,
such as ``services that are central to the selection, trading,
valuation, management, monitoring, indexing, and modeling of
investments''? Are there other specific functions or services that
should be included or excluded from this list? Please explain. Are the
services in this list clear? For example, would we need to define
trading in this alternative definition to include allocation and
communications related to trades? Would it be clear that subadvisers
and portfolio management would be included as ``management'' in this
alternative definition or that risk management is part of management
and monitoring? Would it be confusing to list management and selection
as well as indexing and modeling in this alternative definition? Is
there overlap among the categories? If there is overlap, should the
rule list only certain of these categories, such as selection and
management, or would certain core services or functions be
inadvertently excluded?
7. Should the Commission include or exclude in the definition of
covered function any particular functions or services discussed within
the release? Should services related to investment risk identification
or monitoring be specifically identified, or would they be assumed to
be included as part of the selection or management of investments?
Instead should the specified list of covered functions/services be the
same as those provided by service provider types listed in the proposed
amendments to Form ADV?
8. Are there particular types of service providers to which the
rule should apply? For example, should the rule explicitly include the
service providers advisers would be required to identify in proposed
amendments to Form ADV (portfolio management, trade communication and
allocation, pricing services, valuation services, investment risk
services, portfolio accounting services, client servicing, subadvisory
services, and/or regulatory compliance)? Should we explicitly require
the rule to apply to index providers, model providers, valuation
agents, or other service providers that may be central to an adviser's
investment decision-making process?
9. What would be the advantages and disadvantages of explicitly
identifying the types of functions or providers that would trigger the
rule? For instance, is there a risk of being over-inclusive and under-
inclusive if we take such an approach? Are there certain services or
functions that should be considered ``core'' for all advisers, or does
what constitutes a ``core'' advisory function vary from one adviser to
the next? Should what is considered ``core'' correlate to a certain
percentage of clients who receive (and presumably can therefore be
affected by) the service provider's services? That is, would a service
provider's functions be considered ``core'' to an adviser if they could
have an impact on a certain minimum percentage of the adviser's
clients? Should it correlate to a certain percentage of regulatory
assets under management that receive (and, again, presumably can be
affected by) the service provider's services? That is, would a service
provider's functions be considered ``core'' to an adviser if they could
have an impact on a certain minimum percentage of the adviser's
regulatory assets under management? What would be a percentage of
either such measurement that should trigger application of the rule?
5%? 10%? 15%? 20%? Please explain your answer.
10. Should data providers be explicitly included within the scope
of the rule? Are there specific types of data providers that might be
considered ``covered functions,'' such as providers of security master
data, corporate action data, or index data?
11. Instead of considering certain compliance functions to be a
``covered function'' under the rule, should we amend rule 206(4)-7 to
require advisers to comply with the due diligence and monitoring
requirements of proposed rule 206(4)-11 and 204-2(a)(24) for all
outsourced compliance functions, as we are proposing for records made
and kept by third parties, as described below?
12. Should we revise the proposed exclusion for clerical or
ministerial services? Should we provide different or additional
specific exclusions from the definition of covered function under the
rule? Which ones, if any? For example, should we use the same
definition of supervised person as in the Advisers Act? Should we
explicitly exclude broad-based and widely published indices or specific
clerical or ministerial services such as basic utilities and widely
commercially available operating systems, word processing systems, or
spreadsheets, utilities, or general office functions or services?
Should we exclude functions or categories of services or should we list
specific service providers that should be excluded? How should we view
these services or functions when they are integral to the provision of
a covered function (e.g., when investment performance is calculated in
a spreadsheet or an order management system is hosted in the cloud)?
13. Should we define ``covered function'' more broadly or more
narrowly, and if so, how? For example, should we only use the first
prong of the proposed definition and broaden the
[[Page 68825]]
definition to any function or service that is necessary for the
investment adviser to provide its advisory services in compliance with
the Federal securities laws, regardless of the likely impact on clients
of non- or negligent performance? Or should we only use the second
prong of the definition to apply the rule to any services or functions
that, if not performed or performed negligently, could potentially have
a material negative impact, regardless of whether they are necessary
for the adviser to provide its advisory services in compliance with the
Federal securities laws? Should we change the second prong of the
definition, for example, by applying the rule to any services or
functions that if not performed or performed in a manner materially
different from the adviser's representations or undertakings could
potentially have a material negative impact?
14. Should the definition of ``covered function'' be expanded to
include functions or services necessary for the adviser to comply with
the Federal securities laws or with the Advisers Act instead of
limiting the definition to functions or services necessary to provide
investment advisory services in compliance with the Federal securities
laws? Should the definition include other third-party providers of
services to the adviser's clients, such as broker-dealers and
custodians? Should the definition include any third-party providers
that the adviser recommends to clients even if those providers enter
into an agreement directly with the client and not with the investment
adviser?
15. Is ``necessary for the adviser to provide its advisory services
in compliance with the Federal securities laws'' sufficiently clear? Is
the term ``necessary'' too restrictive and, if so, should alternate
language be used, such as ``supports the adviser in making investment
selections and otherwise providing its advisory services in compliance
with the Federal securities laws''? Should the proposed rule be limited
to providing its advisory services in compliance with obligations only
under the Advisers Act?
16. Is the proposed definition of ``service provider'' clear? Why
or why not? In what ways, if any, could the proposed definition be made
clearer?
17. Are the meanings of ``material negative impact'' and
``reasonably likely'' clear? Why or why not? Should we define these
phrases or provide additional guidance? If so, how? Is there a
different phrase we should use that conveys the same idea?
18. Should the rule define what it means to retain a service
provider to perform a covered function? If so, how? Should we
explicitly state that outsourcing would include affiliated entities of
an adviser, including parent organizations?
19. Should we define when an adviser would retain a service
provider for purposes of the proposed rule? Are there specific factors
that should be relevant in determining whether a service provider
arrangement should be subject to the rule? For example, should the rule
apply where the adviser recommends the service provider to some or all
of its clients? Would a relevant factor be the extent to which the
adviser makes arrangements for the client to engage the service
provider? Should the approach differ depending on whether the client is
a fund (registered or not) or a separately managed account and the
extent to which the adviser is a control person of the fund or has some
control over the fund's contracting arrangements? Or should the
proposed rule only include service providers that contract directly
with the adviser? If so, why? Should we provide an explicit exclusion
for all advisers that engage service providers to perform covered
functions as part of a larger program or arrangement, such as the
sponsor of a wrap fee program or other separately managed account
program in which the sponsor is subject to the proposed rule with
respect to the participation of the service providers in the program?
20. The proposed rule does not specify how an adviser would
``retain'' a service provider in compliance with the proposed rule.
Should we require a written agreement or some other written
documentation between the adviser and service provider to perform a
covered function under the proposed rule? If so, what provisions should
we require? For example, should certain elements of the proposed rule's
due diligence requirements instead be required in a contract between
the adviser and service provider? Should there be a written agreement
requirement for certain covered functions and not others? For example,
should the rule identify a sub-set of the proposed definition of
covered function as critical covered functions and require a written
agreement in those circumstances only? If the final rule were to,
instead, define covered function by listing certain specific functions,
such as described in request for comments 5, 6, 7, and 8 above, should
we require a written contract between the adviser and these service
providers? Are there any contexts in which a written agreement may be
more feasible than others? Alternatively, should we not require a
written agreement but instead require disclosure in Form ADV Part 1A of
whether an adviser has a written agreement for each covered function or
require disclosure only if the adviser does not have a written
agreement for a particular covered function?
21. Is the scope of the proposed rule sufficiently clear in its
application to various advisory arrangements such as, among others,
separately managed accounts, wrap-fee programs, robo-advisory services,
and model portfolio providers? Is it clear how it applies when
technology is used as part of advisory services, such as artificial
intelligence, foundation models, or software as a service? Why or why
not?
22. With respect to an adviser's clients, should the rule apply to
any service providers an adviser retains on behalf of all of the
adviser's clients, as proposed, including clients that are registered
investment companies or private funds? Why or why not? Should services
provided to a fund, such as fund administration, transfer agent,
principal underwriter or custody services, be deemed to be ``investment
advisory services'' or otherwise covered under the proposed rule and
related recordkeeping requirements? Should we provide an explicit
exception for advisers when a registered investment company retains the
listed service providers in rule 38a-1 under the Investment Company Act
of 1940 (``Investment Company Act'') instead (i.e., principal
underwriter, fund administrator, and transfer agent)? What about with
respect to private funds, which are not subject to rule 38a-1? Should
we provide an explicit exception from the proposed rule if any such
engagement is approved, in the case of a registered fund, by the board,
including a majority of the independent directors, or in the case of a
private fund, by a majority of the Limited Partner Advisory Committee
or equivalent body?
23. Should we include subadvisers within the scope of the rule, as
proposed? Why or why not? Should this differ based on whether the
subadviser for a fund is engaged by the adviser or the fund itself?
24. The proposed rule excludes a supervised person of an investment
adviser from the definition of provider. Do commenters agree that it
would be duplicative to apply the rule in this context? Should the
proposed rule also exclude an adviser's affiliated or related persons?
Should such an exclusion depend on whether the affiliate or related
person is separated from the
[[Page 68826]]
adviser by information barriers? Why or why not?
25. Would it be duplicative or otherwise unnecessary to apply the
rule in the context of an adviser's affiliates, as proposed? If so,
please explain.
26. Should the proposed rule provide an exception for firms that
are dually registered broker-dealers? For example, should we provide an
exception for firms that comply with existing broker-dealer provisions
such as FINRA Rule 3110 (Supervision) to meet a dual registrant's
obligation under these rules? Should there be an exception for
outsourcing to SEC-registered advisers or other service providers that
are themselves subject to regulation under the Federal securities laws?
Should such an exception be limited to outsourcing to another adviser
or manager (including banks and trust companies) when the other adviser
or manager treats the client as its own client (as may be evidenced,
for example, by the client's entry into documentation appointing the
adviser or manager, the inclusion of the client as a client on the
books and records of the adviser or manager, or the delivery of
disclosure documents of the adviser or manager to the client)?
27. To what extent do advisers already take the steps that would be
required by the proposed rule? Do commenters believe that the proposed
rule is necessary? Why or why not? To the extent that commenters
believe that the proposed rule is already covered by the general
fiduciary duty enforceable under Section 206 of the Advisers Act, do
commenters believe there is sufficient clarity in the industry as to
the obligations for an adviser in the context of retaining service
providers? And if so, how do those obligations differ from what is
outlined in this proposed rule?
28. Are the proposed changes to the books and records rule
appropriate? Are there alternative or additional recordkeeping
requirements we should impose? For example, should we require that the
record include specific information or be memorialized in a written
memo or report? Should we require advisers to update the list of
covered functions within prescribed time periods such as monthly,
quarterly or annually?
29. Should we require advisers to make and keep true, accurate, and
current a list of covered functions? Why or why not? Should we specify
any particular method for making the list or record of factors to
consider? Should we require a specific method of maintaining the list
of covered functions such as in its policies and procedures?
30. Do commenters believe it would be overly burdensome to require
a record of factors that led the adviser to list each covered function,
as proposed? Why or why not? Should we instead only require the list of
covered functions without requiring the record of factors for each
covered function?
B. Due Diligence
The proposed rule would require advisers to conduct reasonable due
diligence before engaging a service provider to perform a covered
function.\49\ We believe it is essential for an investment adviser to
evaluate whether and how it will continue to meet its obligations to
its clients, and the requirements of the Federal securities laws,
including its obligations as a fiduciary, when it chooses to
outsource.\50\ The due diligence requirement would provide guidelines
to help ensure that the nature and scope of the covered function, as
well as the risks associated with the adviser's use of service
providers are identified and appropriately mitigated and managed. This
also could reduce the risk that the adviser's outsourced services are
not performed or are performed negligently. Specifically, the proposed
rule would require an adviser to reasonably identify and determine that
it would be appropriate to outsource the covered function, that it
would be appropriate to select the service provider, and once selected,
that it is appropriate to continue to outsource the covered function,
by complying with six specific elements:
---------------------------------------------------------------------------
\49\ See proposed rule 206(4)-11(a)(1).
\50\ See In the Matter of AssetMark, Inc. (f/k/a Genworth
Financial Wealth Management, Inc.), Investment Advisers Act Release
No. 4508 (Aug. 25, 2016) (settled order) (AssetMark's due diligence
was insufficient to confirm the accuracy of performance data from a
third-party and therefore AssetMark failed to have a reasonable
basis for the accuracy of the performance and performance-related
claims made in its advertisements); see also In the Matter of
Pennant Management, Inc., Investment Advisers Act Release No. 5061
(Nov. 6, 2018) (settled order) (Pennant negligently failed to
perform adequate due diligence of a third party which ultimately
contributed to substantial client losses).
---------------------------------------------------------------------------
(i) Identify the nature and scope of the covered function the
service provider is to perform;
(ii) Identify and determine how it would mitigate and manage the
potential risks to clients or to the investment adviser's ability to
perform its advisory services, resulting from engaging a service
provider to perform a covered function and engaging that service
provider to perform the covered function;
(iii) Determine that the service provider has the competence,
capacity, and resources necessary to perform the covered function in a
timely and effective manner;
(iv) Determine whether the service provider has any subcontracting
arrangements that would be material to the service provider's
performance of the covered function, and identifying and determining
how the investment adviser will mitigate and manage potential risks to
clients or to the adviser's ability to perform its advisory services in
light of any such subcontracting arrangement;
(v) Obtain reasonable assurance from the service provider that it
is able to, and will, coordinate with the adviser for purposes of the
adviser's compliance with the Federal securities laws; and
(vi) Obtain reasonable assurance from the service provider that it
is able to, and will, provide a process for orderly termination of its
performance of the covered function.
The proposed rule requires that the due diligence be conducted
``before engaging'' a service provider, which would be before the
adviser and service provider agree to the engagement, or agree to add
new covered functions or services to an existing engagement.\51\ It
would not be appropriate for the adviser to assess the risks of
outsourcing a covered function to a particular service provider, for
the first time, after it engaged the service provider.\52\ Conducting
initial due diligence after engagement would unnecessarily subject the
adviser's clients to potentially unknown and unmitigated risks
associated with outsourcing the covered function to the service
provider. Those risks could result in harm to the client that could
have been avoided had due diligence been conducted beforehand.
---------------------------------------------------------------------------
\51\ For written agreements, this would be the date it is
executed by both parties, or if different days, the later of the
dates each party executes it.
\52\ See infra section II.G (Transition and Compliance and
related discussion).
---------------------------------------------------------------------------
The proposed rule also requires that service provider due diligence
be conducted ``reasonably.'' This would mean an adviser's due diligence
must reasonably be tailored to the function or services that would be
outsourced and to the identified service provider. An adviser's
analysis of a specific service provider's competence, capacity, and
resources generally would not require boundless analysis or the
identification of every conceivable risk of outsourcing, but must be
reasonable under the facts and circumstances. The proposed rule is
intended to allow registrants to tailor their due diligence practices
to fit the nature, scope, and risk profile of a
[[Page 68827]]
covered function and potential service provider.
For example, in determining whether to engage a third-party digital
investment advisory platform, a registrant may not need to conduct a
detailed analysis and review of the underlying computer code. However,
the registrant generally should obtain a reasonable understanding of
how the platform is intended to operate, determine that the platform
operates as intended, and confirm the platform generates advice that is
suitable for the registrant's clients. The registrant could consider
also the risks of the digital platform that could result in material
harm to a client and conclude that it can mitigate and manage those
risks. In conducting this analysis, the adviser could review factors
such as:
<bullet> Comparative digital platform methodologies, including
their respective parameters, benefits, and risks;
<bullet> The digital platform's compliance and operational policies
and procedures for the protection of client accounts and key systems,
and its policies and procedures addressing the maintenance and
oversight of the digital platform;
<bullet> The sufficiency of the digital platform's client
questionnaire for enrolling clients in the advisory service;
<bullet> The digital platform's general process for developing,
revising, and updating the advice or recommendations that it generates;
<bullet> The general process for and results of the service
provider's testing and backtesting of the digital platform and the
post-implementation monitoring of its performance; and
<bullet> The digital platform's prevention and detection of, and
response to, cybersecurity threats.\53\
---------------------------------------------------------------------------
\53\ Commission staff addressed similar issues in a guidance
update. See Robo-Advisers, IM Guidance Update, No. 2017-02 (Feb.
2017) (discussing robo-adviser specific factors that an adviser may
consider in adopting written policies and procedures).
---------------------------------------------------------------------------
Ultimately, conducting due diligence is not a one-size-fits-all
process. Whether an adviser tailors its due diligence such that it is
reasonable under the proposed rule would depend on the facts and
circumstances applicable to the services to be performed and the
identified service provider.
1. Nature and Scope of Covered Function
The first element in the proposed due diligence requirements would
require an adviser to identify the nature and scope of the covered
function the service provider is to perform.\54\ This might include
documenting a description of the nature and scope of the covered
function in a written agreement, memo to file, database, or other form
the adviser deems appropriate.\55\ As part of its identification, an
investment adviser generally should understand what services will be
provided and how the service provider will perform those services. We
believe such identification is important to reduce the risks of
performance shortfalls by the service provider due to the adviser's or
its service provider's insufficient understanding of the nature and
scope of the covered function. A clear understanding between the
adviser and service provider of the nature and scope of the applicable
covered function should help ensure that the service provider is
performing the function that the adviser believes is being performed
and reduce the risk of harm to clients and investors as a result of
inadequate, negligent, or otherwise insufficient performance of the
covered function.
---------------------------------------------------------------------------
\54\ Proposed rule 206(4)-11(a)(1)(ii). As further discussed
below, we are also proposing a new books and records provision, rule
204-2(a)(24) that would require advisers to make and retain a list
or other record of covered functions that the adviser has outsourced
to a service provider.
\55\ We are also proposing amendments to Form ADV Part 1A under
which an adviser would be required to disclose information about its
service providers of covered functions. See supra section II.D.
---------------------------------------------------------------------------
What is included in ``nature and scope'' under the proposed rule
would vary depending on the facts and circumstances, and the level of
detail should reasonably reflect relevant factors such as the nature,
size, and complexity of the covered functions involved. For example, if
the service provider performing a covered function is an index
provider, then the identification of the nature and scope of the
covered function might relate to such things as index license terms,
rebalancing frequency, and frequency of data delivery from the provider
to the adviser. If an adviser outsources its trading desk functions,
then the adviser might wish to identify descriptions of the trading
desk services, as well as any ancillary activities related to those
services, such as software or other technological support and
maintenance, business continuity and disaster recovery, employee
training, and customer service, including the extent to which the
provider would perform the services itself or hire others to perform
them.
As part of this analysis, an adviser also might wish to identify
the frequency, content, and format of the service provider's covered
function. The analysis also might vary depending on the types of risks
identified during the adviser's due diligence process. If an adviser
identifies certain risks related to outsourcing a particular task or
related to using a particular service provider, then the adviser
generally should take those risks into account when identifying the
nature and scope of the covered function. For example, the adviser
might wish to determine how the adviser's information, facilities, and
systems (including access to and use of the adviser's or the adviser's
clients' information) would be used and any protections that would be
put in place for use of such items. If an adviser were to engage a
service provider to perform portfolio management services for its
clients, and the adviser would be sharing non-public trading
information and/or its advisory clients' personally identifiable
information, the adviser generally should negotiate and identify how
such information would be managed in order to mitigate the risk that
such information may be mishandled.\56\
---------------------------------------------------------------------------
\56\ Rules related to maintaining the privacy of client
information also would apply. See, e.g., 17 CFR 248.11(a) (reuse and
redisclosure of nonpublic personal information that nonaffiliated
trading services provider receives from adviser limited to
performing trading services for the adviser's clients). See also 17
CFR 248.201(e)(4) (applicable to advisers that are a financial
institution or creditor with covered accounts); Reg. S-ID, Appendix
A, at Section VI(c).
---------------------------------------------------------------------------
2. Risk Analysis, Mitigation, and Management
The proposed rule would require an adviser to identify the
potential risks to clients, or to the adviser's ability to perform its
advisory services, resulting from outsourcing a covered function. In
doing so, we believe an adviser generally should assess and consider
prioritizing the risks created by outsourcing the function in light of
the adviser's particular business processes.\57\ As discussed above,
[[Page 68828]]
outsourcing an investment adviser's function without a minimum and
consistent framework for identifying, mitigating, and managing risks,
can undermine the adviser's provision of services and mislead or
otherwise harm clients. A lack of such a framework could indicate that
it is unreasonable for an adviser to outsource the function. Potential
client harm caused by a service provider's failure to perform or
negligent performance of the outsourced function could be significantly
mitigated, or even avoided, if the adviser first identifies the risk,
and then determines, before outsourcing a function, how to mitigate and
manage the risk.
---------------------------------------------------------------------------
\57\ We believe a risk prioritization approach is a commonly
used and effective practice in the industry. Also, the Commission
proposed a risk prioritization approach for cybersecurity risk
assessment. We encourage commenters to review that proposal to
determine whether it might affect their comments on this proposing
release. See Cybersecurity Risk Management for Investment Advisers,
Registered Investment Companies, and Business Development Companies,
Investment Advisers Act Release No. 5956 (Feb. 9, 2022) [87 FR 13524
(Mar. 9, 2022)] (``Proposed Cybersecurity Release'') (stating that
``[a]s an element of an adviser's or fund's reasonable policies and
procedures, the proposed cybersecurity risk management rules would
require advisers and funds periodically to assess, categorize,
prioritize, and draft written documentation of, the cybersecurity
risks associated with their information systems and the information
residing therein.'').
---------------------------------------------------------------------------
There are a variety of potential risks that an adviser should
generally consider, such as the sensitivity of information and data
that would be subject to the service or to which the service provider
may have access, the complexity of the function being outsourced, the
reliability and accuracy of the service or function delivered by the
service provider, extensive use of particular service providers by the
adviser or several advisers, available alternatives in the event a
service provider fails or is unable to perform the service, the speed
with which a function could be moved to a new service provider,
existing and potential conflicts of interest of the service
provider,\58\ geographic location of the service provider,
unwillingness to provide transparency, known supply-chain challenges,
and the availability of market resources skilled in the service. Key to
this process might include determining the likely potential impact--
particularly to the adviser's clients, to investors in the adviser's
fund clients, or to the adviser's ability to perform its advisory
services--of the failure, or improper performance, of the function to
be outsourced.
---------------------------------------------------------------------------
\58\ Advisers may have disclosure obligations related to
conflicts of interest that arise from other provisions of the
Federal securities laws. See, e.g., Form ADV Part 2, General
Instruction 3 (stating that advisers ``must seek to avoid conflicts
of interests with [their] clients, and, at a minimum, make full
disclosure of all material conflicts of interest . . . that could
affect the advisory relationship.'').
---------------------------------------------------------------------------
For example, outsourcing records administration, personal
securities trading clearance and compliance, or client trading services
may result in the service provider gaining access to the adviser's non-
public trading information (e.g., client account positions, active
trade orders, restricted securities trading list), or personally
identifiable information (``PII'') about an adviser's clients. In these
circumstances, it would be important for the adviser to consider
whether use of a service provider would increase the likelihood that
the non-public trading information or PII could be mishandled, misused,
subject to unauthorized access, or otherwise subject to a heightened
risk.\59\ This risk may be amplified when outsourcing to an offshore
service provider that is unfamiliar with applicable U.S. laws and
regulations, is potentially subject to laws that apply a different
standard, and may cause delays in production of records. In the case of
an offshore service provider, the adviser should consider whether the
service provider's policies, procedures, and operations comply with
applicable United States laws and regulations, and whether the service
provider is able to demonstrate experience servicing clients that are
subject to Federal securities laws. Further, the adviser should
consider the potential impact to its advisory business and its clients
if the non-public trading information or PII were subject to a breach
via the service provider.
---------------------------------------------------------------------------
\59\ Advisers should also note that outsourcing that transfers
PII to third parties could implicate legal restrictions on sharing
by the adviser of such information.
---------------------------------------------------------------------------
When an adviser outsources any covered function it introduces new
relationships and the potential for new conflicts of interest, such as
the service provider's incentives to meet its obligations to some
clients ahead of others, to devote more resources to a different line
of business than the one for which the provider was hired, or to favor
affiliates.\60\ The adviser should identify these risks and determine
how it will mitigate and manage them. For example, outsourcing some
client portfolio management functions to a model provider may introduce
new conflicts of interest issues for the service provider that the
adviser may want to consider. In such a circumstance, an adviser
generally should consider potential issues such as whether the service
provider also provides services to the service provider's affiliates
and how the service provider prioritizes providing models among clients
that pay different fees to the service provider. This is because the
service provider could have a financial incentive to provide favorable
prioritization or terms to its affiliates or clients paying the service
provider a higher fee. If so, the adviser generally should consider how
to mitigate this conflict of interest through approaches such as
obtaining contractual representations and warranties about the service
provider's procedures, reviewing the service provider's applicable
written policies and procedures, or obtaining a contractual right to
audit the service provider.
---------------------------------------------------------------------------
\60\ As fiduciaries, advisers must seek to avoid conflicts of
interest with clients, and, at a minimum, make full disclosure of
all material conflicts of interest between the adviser and clients
that could affect the advisory relationship. See Form ADV Part 2
General Instructions. Advisers may disclose this information in
their Part 2 of Form ADV or by some other means.
---------------------------------------------------------------------------
Another common example that illustrates the importance of an
adviser's risk analysis occurs when an adviser seeks to outsource all
or portions of its compliance function. There can be benefits to
relying on a third party with potentially greater compliance experience
and expertise, but an adviser also generally should consider the nature
of its business and whether a potential provider can sufficiently
understand, ingest, and address the unique compliance needs of the
adviser's business. The adviser can seek to mitigate and manage this
risk by generally considering certain steps such as seeking references
from other clients of the service provider, conducting interviews of
key service provider personnel, ensuring the compliance service
provider will customize its services to meet the needs and unique
aspects of the adviser's particular business, obtaining written
assurances about the experience and skills of the service provider
personnel that will be assigned to the adviser's account, and obtaining
the right to audit the functions being performed by the service
provider periodically.
The proposed rule also would require advisers to identify the risks
of outsourcing to a particular service provider. We understand that
many advisers currently take a variety of steps to understand the risks
of their service providers and those of certain service providers.
These steps may include reviewing a summary of a service provider's
business continuity plan, due diligence questionnaires, an assurance
report on controls by an independent party, certifications or other
information regarding a provider's operational resiliency or
implementation of compliance policies, procedures, and controls
relating to its systems, results of any testing, and conducting
periodic onsite visits. The nature, depth, and complexity of this
analysis would be dependent, in part, on the adviser's assessment of
risks associated with the function being outsourced. If an adviser
determines that the risk of outsourcing a particular function is
relatively high, then the adviser generally should consider adjusting
its due diligence of the particular provider commensurate with that
risk assessment. An adviser
[[Page 68829]]
also generally should consider that a provider may pose unique or novel
risks such as international operations, limited financial or
operational history, lack of financial or operational transparency,
lack of sufficient operating capital to support long-term operations,
inability or unwillingness to provide client references, insufficient
availability of qualified personnel, infrastructure susceptibility to
extreme weather, lack of adequate data security, and prior service
failures.
For example, if the outsourced function involves valuation of
illiquid or private securities, the adviser generally should consider
whether the particular service provider has the capability and
experience to provide accurate and timely information. Inaccurate or
untimely valuation information could affect the adviser's strategy,
resulting in negative financial consequences for the adviser's clients.
A lack of necessary sophistication or inability to perform timely are
examples of service provider issues that generally should be identified
and addressed before the service provider is engaged.
The proposed rule would also require an adviser to determine how it
will mitigate and manage the identified risks. This could be
accomplished through a variety of means, including actions taken by the
adviser, or actions taken by the service provider at the adviser's
request or direction. If an adviser determines that risks cannot be
mitigated or managed adequately, the adviser generally should consider
factors such as whether it is consistent with an adviser's fiduciary
responsibility to its clients to move forward with outsourcing the
function, whether outsourcing the function may increase the risk of
fraud against the adviser's clients, or whether there is a viable
alternative to outsourcing.
There are a multitude of ways that an adviser may mitigate or
manage risks, subject to the applicable facts and circumstances
surrounding the function. To mitigate the identified risks, an adviser
generally may consider the potential impacts of the risks occurring,
the frequency with which the risks may occur, and how to avoid or
lessen those impacts. This could include considering whether the
service provider allows sufficient transparency such that the adviser
reasonably can monitor the outsourced functions to confirm they are
performed correctly and developing and implementing written policies
and procedures to oversee the service provider. For example, if an
adviser incorporates a service provider's software to manage its
portfolio risk, a flaw in the software could adversely affect client
portfolios. It would therefore be important that the service provider
sufficiently explains and demonstrates how the software operates so
that the adviser can understand, identify, and determine whether it can
mitigate any risks that the use of the software may pose. The adviser
also generally should consider whether and how the service provider
would provide notice of software failure, and how the service provider
will respond in the event of a failure. Similarly, in the event the
adviser is U.S.-based and outsourcing to a non-U.S.-based service
provider, the adviser generally should consider whether and how it can
effectively monitor the performance of the covered function, and
whether there are any unique limitations or risks posed by the location
where the services will be provided, such as geopolitical instability,
heightened exposure to extreme weather, lack of U.S. legal jurisdiction
and ability to enforce legal rights, infrastructure challenges such as
instability in the power grid or internet services, or lack of access
to an experienced workforce. If the adviser determines it cannot
effectively monitor the performance of a covered function, it generally
should consider whether outsourcing is consistent with the adviser's
fiduciary responsibility to its clients, whether outsourcing may
increase the risks for the adviser's clients, and whether there is a
viable alternative to outsourcing.
An adviser may also mitigate and manage the risks of failing to
perform a function by implementing contractual safeguards or pursuing
alternative options. For example, if a service provider placing trades
for the adviser's clients experienced a trading delay or stopped
trading altogether, there may be material negative impacts on the
adviser's clients. To mitigate the risk of this scenario, the adviser
could enter into a contractual agreement with the service provider that
identified, in advance of such an event, a substitute trading
arrangement to be implemented within a timeframe that would cause as
little disruption to clients as possible. An adviser also could
establish a redundancy in the outsourced service or function. For
example, an adviser could engage a primary pricing provider for
illiquid securities, and also have an arrangement with a secondary
pricing provider. The secondary provider could provide prices in the
instance that the first pricing service fails, and otherwise be used,
for example, to validate accuracy and identify potential anomalies in
the data provided by the primary pricing provider. Such contractual
provisions may be particularly important in preventing harm to the
adviser's clients. Regardless of who a contract indicates should remedy
such a situation or who is liable for a particular breach, a service
provider's failure to perform does not excuse the adviser from its
fiduciary duty and other legal obligations and liabilities.
3. Competence, Capacity, Resources
Once an adviser has identified the risks related to outsourcing the
function and the risks of the service provider, the proposed rule would
require the adviser to determine that the service provider has the
competence, capacity, and resources necessary to perform the covered
function in a timely and effective manner. Outsourcing an investment
adviser's function to a service provider without making this
determination can undermine the adviser's provision of services and
mislead or otherwise harm clients. When an investment adviser holds
itself out as providing advisory services or agrees with a client to
provide such services, the adviser implies that it remains responsible
for the performance of those services and will act in the best interest
of the client in doing so. If an adviser retains a service provider
without ensuring the service provider is able to perform the function
in a timely and effective manner, the adviser would not be ensuring its
obligations will be met and clients could be harmed if the service
provider fails to perform or negligently performs the covered function.
Therefore, in order to comply with its legal obligations when
outsourcing a function, the adviser should confirm that the service
provider is able to perform the applicable function timely and
effectively to the same standards directly applicable to the adviser.
The determination of competence, capacity, resources, and
performing the function timely and effectively should be based on the
facts and circumstances of the functions being outsourced. For example,
if outsourcing a function is high risk due to the complexity of the
function, the adviser may want to assess competence by focusing on the
experience and expertise of the service provider's personnel and the
comprehensiveness of their processes and methodologies. If the function
is labor intensive, the adviser may wish to consider factors such as
whether the service provider has the necessary staffing capacity to
provide the function and the service provider's historical staff
retention rates. If the function requires specialized equipment or
[[Page 68830]]
technology, the adviser may wish to seek evidence that the service
provider possesses those resources. If the function is novel or is
unique to the adviser, the adviser may wish to consider whether it is
even appropriate to outsource due to a lack of service providers with
the necessary competence, capacity, or resources to perform the
function. In all of these instances, the adviser may consider whether
and how the service provider can perform the covered function such that
it effectively addresses the adviser's and its client's needs.
In addition to considering the facts and circumstances of the
function being outsourced, we believe an adviser's analysis of
competence generally should include an understanding of how the service
provider will perform the function. For this, the adviser generally
should verify that the service provider is able to explain and
demonstrate clearly how the function will be performed. This enables
the adviser to confirm it is outsourcing to a competent service
provider, mitigates the risk of potential harm to the adviser's clients
of a failure to perform, and educates the adviser in order to better
monitor the service provider once engaged. For example, if an adviser
is outsourcing its robo-advisory product to a third-party digital
investment platform the adviser generally should understand the client
factors considered by the platform, the methodology used by the
platform to generate any recommendations, the factors that may alter
that methodology, any highly technical or complex aspects of the
methodology such as incorporation of artificial intelligence, and the
service provider's procedures for testing and oversight of the
methodology.
4. Subcontracting Arrangements
The proposed rule would require that the adviser determine whether
the service provider has any subcontracting arrangements that would be
material to the performance of the covered function. In the event of
such a subcontracting arrangement, the proposed rule would also require
that the adviser identify and determine how it will mitigate and manage
potential risks to clients or its ability to perform advisory services
in light of any such subcontracting arrangement.\61\
---------------------------------------------------------------------------
\61\ Proposed rule 206(4)-11(a)(1)(iv).
---------------------------------------------------------------------------
In making these determinations, an adviser generally could rely on
representations provided by the service provider or could develop
policies and procedures with certain limitations or conditions when
engaging a service provider that uses subcontractors. For example, an
adviser may implement a policy that prevents the adviser from retaining
a service provider that primarily relies on subcontractors to perform
the covered function, or implement a procedure to audit the service
provider's oversight of its subcontractors. An adviser also may enter
into a written agreement with the service provider that requires the
service provider to notify the adviser of any material incidents that
take place at the subcontractor that may cause a failure to perform a
covered function by the service provider. When determining how to
mitigate and manage potential risks of outsourcing in light of any
subcontracting arrangement, the adviser could consider relying on
written representations the service provider makes about steps it is
taking to mitigate and manage such risks.
Service providers may utilize subcontracting arrangements for any
advisory services and functions, which creates a chain of service
providers to an adviser. The absence of a direct relationship with a
subcontractor may affect the adviser's ability to assess and manage
risks that develop as a result of outsourcing. Outsourcing risks are
heightened when an adviser uses service providers for ``covered
functions'' that, by definition under the proposed rule, if not
performed or performed negligently would be reasonably likely to cause
a material negative impact on an adviser's clients or its ability to
provide advisory services. Because the adviser ultimately has the
responsibility for providing advisory services and complying with the
Federal securities laws, we believe it is important that the adviser
know about material subcontracting arrangements so that it can oversee
the covered function properly.
Requiring the adviser to determine whether the service provider has
any subcontracting arrangements might provide more visibility into the
outsourcing chain by the adviser. However, we also recognize that a
service provider may use a large number of subcontractors for a variety
of functions or services at various points in time. As a way to balance
the burden of having to determine how the adviser will mitigate and
manage potential risks with respect to every subcontractor with the
benefit of the adviser having some visibility into the use of
subcontractors, we believe that the determination should be limited to
subcontracting arrangements that would be material to the service
provider's performance of the covered function. To determine whether a
subcontracting arrangement is material, we believe it is appropriate
generally to follow the standard used in the proposed definition of
covered function. Thus, a subcontracting arrangement would be material
if nonperformance or negligent performance would be reasonably likely
to cause a significant negative impact on the service provider's
ability to perform the covered function. A subcontracting arrangement
that is subject to this standard would depend on the type of
subcontractor being used and the nature and scope of the subcontracting
arrangement. For example, if an adviser engaged a subadviser to manage
certain of its clients' portfolios, and the subadviser outsourced some
or all of its portfolio management to a subcontractor, we generally
would consider this to be material because the subadviser would be
outsourcing the function that the adviser had engaged the subadviser to
perform. In such an instance, we believe the subcontractor's failure to
perform or negligent performance of portfolio management would be
reasonably likely to cause a significant negative impact on the
subadviser's performance of the covered function, which would be
reasonably likely to cause a material negative impact on the adviser's
ability to provide its investment advisory services.
We believe that requiring this determination and risk assessment of
any subcontracting arrangements that would be material to performance
of a covered function is important because having a chain of providers
increases the risk of lack of transparency and control by the adviser
if there were an issue within the chain. We believe that to the extent
a service provider uses any subcontractors that are material to the
performance of its covered function, the adviser generally should
conduct further monitoring and put in place risk management processes
to mitigate potential harm to the adviser, and its advisory clients.
5. Compliance Coordination
The proposed due diligence provision would require an adviser to
obtain reasonable assurance from a service provider that it is able to,
and will, coordinate with the adviser for purposes of the adviser's
compliance with the Federal securities laws, as applicable to the
covered function. An adviser remains liable for its obligations,
including under the Advisers Act, other Federal securities laws and any
contract entered into with the client, even if the adviser outsources
functions. The proposed requirement would alert the service provider to
those responsibilities
[[Page 68831]]
and obtaining reasonable assurances would help the adviser ensure that
it can continue to meet its compliance obligations despite outsourcing
those functions.
For example, an adviser may rely on a service provider for part of
its portfolio management function. While not required under the
proposed rule, that adviser may wish to consider obtaining written
assurances or written representations from the service provider that it
is aware of the adviser's obligations under the Advisers Act, and that
it will assist the adviser, as applicable, in complying with its
obligations as a fiduciary. For additional clarity, the adviser may
wish to consider articulating specific responsibilities of the service
provider in relation to assisting the adviser to comply with its legal
obligations. As another example, an adviser may rely on an outsourced
chief compliance officer or compliance consultant for updating and
filing the adviser's Form ADV, including Form CRS. Such an adviser may
want to obtain assurances or representations from the service provider
that it has sufficient knowledge of the adviser's business such that
the adviser's Form ADV will be accurate and contain all required
disclosure. In discussions with our staff regarding Form ADV
compliance, some advisers have claimed ignorance of a filing not having
been made, or of missing, inadequate or inaccurate disclosure, due to
the adviser's reliance on an outsourced chief compliance officer or
compliance consultant. Similarly, in response to our staff's requests
for documents, advisers often indicate that they lack access to
information necessary to demonstrate compliance with a provision of the
Advisers Act and its rules or other Federal securities laws because of
outsourcing. In instances where our staff has requested records
demonstrating compliance with the brochure delivery rule,\62\ some
advisers that use client relationship management providers have
asserted that they have complied with the rule because brochure
delivery is programmed into the providers' software, though they cannot
produce records to evidence that delivery took place.
---------------------------------------------------------------------------
\62\ See rule 204-3.
---------------------------------------------------------------------------
6. Orderly Termination
The proposed rule would require an investment adviser to obtain
reasonable assurance from the Service Provider that it is able to, and
will, provide a process for orderly termination of its performance of
the covered function.\63\ This provision is designed to mitigate risks
of an interruption in advisory services or the adviser's compliance
with the Federal securities laws in the event that the outsourced
relationship is discontinued. An abrupt termination of a covered
function without a process to continue services in another way,
transfer records, and otherwise provide a smooth transition could have
a material negative impact on an adviser's clients or an adviser's
ability to provide investment advisory services to clients. For
example, if an adviser relied on a software provider to provide an
order management and trading application for the purposes of placing
orders on behalf of the adviser's clients, and the software provider
abruptly terminated its services without the adviser being able to
replace the provider or move the services in-house, then the
termination would be reasonably likely to cause a material negative
impact on the adviser's ability to provide investment advisory
services. This is because the adviser may not be able to place orders
at or near normal volumes or as efficiently. Such harm could be
mitigated by the proposed due diligence requirement to obtain
reasonable assurance from a service provider that it is able to, and
will, provide a process for orderly termination of its performance of
the covered function.
---------------------------------------------------------------------------
\63\ Proposed rule 206(4)-11(a)(2)(vi).
---------------------------------------------------------------------------
Orderly termination of a service provider's performance of a
covered function might include the adviser ensuring that no ongoing
operational and technological dependency on the service provider
remains after the termination of the relationship with the service
provider. For example, an adviser might consider obtaining reasonable
assurance, whether through a written agreement or some other means,
from the service provider that it will provide a notice of intent to
terminate in a specified amount of time or other similar process so
that the service provider does not abruptly terminate its services to
the detriment of the adviser and its clients.
Given the variety of advisers and providers and different levels of
complexity with respect to outsourced functions, the proposed rule is
designed to afford advisers and service providers the flexibility to
establish what would constitute ``orderly'' termination in light of the
risks involved. The adviser must be able to stay in compliance with its
obligations under the Advisers Act and its rules during and after
termination. Accordingly, the process that allows for ``orderly''
termination generally should reflect consideration of certain factors
such as the type of covered function and applicable regulatory
requirements. For example, if the covered function were recordkeeping
services, then the adviser should account for how to continue to stay
in compliance with the regulatory requirements with respect to
recordkeeping after termination of the agreement. If the covered
function were valuation services, then the adviser should consider how
to transition different client accounts prior to complete termination
and how to stay in compliance with any valuation requirements. In
addition to ensuring proper transfer or retention of records, advisers
generally should consider how they would maintain operational,
regulatory, or other capabilities as a result of terminating the
service provider engagement.
An ``orderly'' termination process also should be designed to
handle confidential and other sensitive information securely. The
adviser and service provider generally should consider ways to ensure
that no confidential data or information remains with the service
provider other than that required to meet the service provider's
contractual obligations or the service provider's own legal
obligations, if any. For example, a service provider that performs
valuation services may have been granted access to certain adviser
back-office or middle-office systems and internal reports, and the
adviser and service provider might wish to agree to allow for
verification that the provider's access is terminated either
immediately upon notification of termination or after a reasonable
amount of time once all accounts have been closed by the service
provider. The adviser and service provider might also agree to the
return or destruction of any copies of reports or confidential
information after the terms of termination are satisfied, depending on
the length of time it would take.
Relatedly, an ``orderly'' termination process also generally should
contemplate reasonable time frames to allow for timely transfer or
destruction of any data, as appropriate or necessary. Such provisions
would facilitate the continuity and quality of the outsourced functions
in the event of termination. For example, if an adviser wants to
protect its ability to change its subadviser when appropriate without
undue restrictions, limitations, or cost, then the adviser generally
should consider termination and transfer arrangements with reasonable
time frames to allow for timely transfer of confidential adviser and
client information from the original service provider to the new
service provider.
In addition to ensuring the adviser stays in compliance with its
regulatory
[[Page 68832]]
obligations during and post-termination of a relationship with a
service provider, the adviser might consider provisions in a written
agreement or some other form to protect itself against certain failures
or breaches by the service provider such as termination rights, clear
delineation of ownership of intellectual property, and the obligation
of the service provider to assist and provide support for a successful
and complete transition or termination.
7. Recordkeeping Provisions Related to Due Diligence
Finally, the proposal would amend the Advisers Act books and
records rule to require advisers to make and retain specific records
related to their due diligence assessment.\64\ These records include a
list or other record of covered functions the adviser outsourced to a
service provider including the name of each service provider, the
factors that led to listing it as a covered function on Form ADV, and
documentation of the adviser's due diligence assessment. The due
diligence records would include any policies or procedures or other
documentation showing how the adviser would mitigate and manage the
risks it identifies, both at a covered function and a service provider
level. The proposed amendments would also revise the books and records
rule to require a copy of any written agreement, including any
amendments, appendices, exhibits, and attachments, entered into with a
service provider regarding covered functions. The records would have to
be maintained in an easily accessible place while the adviser
outsources the covered function and for a period of five years
thereafter.\65\ This aspect of the proposal is designed to facilitate
our staff's ability to assess an adviser's compliance with the proposed
rule. We believe it would similarly enhance an adviser's compliance
efforts as well.
---------------------------------------------------------------------------
\64\ See proposed rule 204-2(a)(24).
\65\ See proposed rule 204-2(e)(4).
---------------------------------------------------------------------------
We request comment on all aspects of the proposed due diligence
requirement and corresponding proposed amendments to the Advisers Act
books and records rule, including the following items:
31. Should we adopt the due diligence requirements as proposed? Are
there other aspects of due diligence that should be required
additionally or instead? Conversely, should we exclude any of the
proposed due diligence requirements?
32. Should we require advisers to obtain third-party experts,
audits, and/or other assistance to oversee a service provider when the
adviser is outsourcing a function that is highly technical, or the
oversight requires expertise or data the adviser lacks? For example, if
an adviser is outsourcing to a service provider that provides valuation
or pricing of complex or private securities, or a service provider that
incorporates artificial intelligence into its services, should that
adviser be required to confirm it has sufficient internal expertise to
effectively oversee the service provider, and if not, obtain a third-
party expert to provide such oversight?
33. Advisers are currently required under rule 206(4)-7 to have
policies and procedures reasonably designed to prevent violations of
the Advisers Act and rules under the Act, and this requirement would
apply to the proposed rule. The proposed rule does not require
additional explicit written policies and procedures related to service
provider oversight. Should the rule require specific policies and
procedures in addition to or instead of the requirements in the
proposed rule? And if so, what specific provisions should be required?
Should we also include changes to rule 38a-1 under the Investment
Company Act?
34. Should we exempt certain service providers or covered functions
from some or all of the due diligence requirements? If so, which
service providers should we exempt, which due diligence requirements
should we exempt, and why?
35. Should we exempt certain categories of advisers or service
providers from the due diligence requirements, such as smaller (e.g., a
small business or small organization as defined in 17 CFR 275.0-7 or a
small business as defined by the U.S. Small Business Administration)
advisers or service providers or newly registered advisers? If so,
which ones and why? Alternatively, should we provide scaled due
diligence requirements, and if so, how? Would the proposed due
diligence requirements raise any particular challenges for smaller or
different types of advisers? If so, what could we do to help mitigate
these challenges?
36. The proposed rule requires that the due diligence be conducted
before the service provider is engaged. Are there reasons that due
diligence cannot be completed prior to engaging a service provider? If
so, please explain and provide examples. For example, should there be
an exception for emergencies? How would we define emergency? Should an
exception for emergencies be time-limited (e.g., one month) or
permitted for the duration of the emergency?
37. Are there other core factors that advisers should be required
to consider in conducting due diligence? If so, what are those factors?
For example, should advisers be required to confirm the financial
stability of a service provider through the review of audited
financials, or should certain service providers be required to provide
certain third-party certifications or reports such as a Systems and
Organizational Controls report \66\ (``SOC 1'') or other internal
control report? Should service providers be required to have third-
party financial support, such as fidelity bonds, errors and omissions
insurance, or other support? If so, what type and level of support
should be required?
---------------------------------------------------------------------------
\66\ See System and Organizational Controls: SOC Suite of
Services, AICPA, available at <a href="https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html">https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html</a>.
---------------------------------------------------------------------------
38. Is it clear what we mean by identifying the ``nature and
scope'' of the services? If not, how can it be made clearer?
39. The proposed rule is intended to provide flexibility to
investment advisers in the methods they use to identify outsourcing
risks. Should we dictate a specific method by which risks are
identified? For example, should we require that investment advisers
prioritize the identified risks and create a record of that
prioritization?
40. For purposes of identifying the risks of engaging a service
provider in the due diligence process, should the rule include a
materiality threshold?
41. Should the rule require advisers to adopt and implement service
provider risk management strategies, as proposed? Should the Commission
take a different approach to address these risks instead, such as
requiring disclosure of the risks to clients, or limiting the services
that can be outsourced?
42. Should the proposed rule require advisers to make
determinations about the service providers' competence, capacity, and
resources as proposed? Should the Commission take a different approach
instead? For example, should we require advisers to make reasonable
assessments instead? How much independent research would advisers be
able to accomplish to comply with this requirement?
43. Should the proposed due diligence books and records amendments
be expanded or limited in any way? Are there alternative, explicit, or
additional recordkeeping requirements we should impose?
44. The proposed due diligence provision requires that the adviser
determine whether the service provider
[[Page 68833]]
has any subcontracting arrangements that are material to the service
provider's performance of the covered function (emphasis added). Should
we provide more guidance on the term ``material''? Should we broaden
the requirement to any subcontracting arrangements? Should we exempt or
alter this requirement for service providers that are also investment
advisers? Finally, should we omit the requirement that the adviser
determine whether the service provider has any subcontracting
arrangements?
45. The proposed due diligence provision requires an adviser to
determine how it will mitigate and manage potential risks to clients or
the adviser's ability to perform its services in light of
subcontracting arrangements that would be material to a service
provider's performance of a covered function. Should we exempt certain
advisers from, alter, or delete this requirement, and if so why?
46. Is the provision requiring the adviser to obtain reasonable
assurance from the service provider that it is able to, and will,
coordinate with the adviser for purposes of compliance with the Federal
securities laws, as applicable to the covered function, appropriate?
Maintaining records required by the Federal securities laws is one
component of an adviser's regulatory compliance. Is there any overlap
between this provision requiring coordination for legal compliance more
broadly and the proposed requirement discussed below for an adviser to
obtain reasonable assurance from third-party recordkeepers to provide
required records to the adviser and Commission? If so, should we
address any potentially duplicative requirements?
47. Is the proposed requirement to obtain reasonable assurance that
the service provider is able, and will, provide a process for orderly
termination appropriate? Is it clear what we mean by ``orderly?''
Should we define what ``orderly'' means instead? If so, how should we
define it?
48. Are there circumstances in which an adviser might determine
that abrupt termination was reasonably necessary to protect clients? If
so, should the provision requiring obtaining reasonable assurance for
orderly termination of the performance of a covered function be revised
to permit advisers to exercise their judgment in such cases? For
advisers to registered investment companies, should abrupt termination
by the adviser require notification to the investment company board?
49. Should the Commission adopt the related recordkeeping
provisions as proposed or should they be changed? For example, should
the time period of retention be changed to five years after the entry
was made or three years after the relationship between the adviser and
service provider has been terminated?
C. Monitoring
Once a service provider is engaged, the proposed rule would require
the adviser to periodically monitor the service provider's performance
of the covered function and reassess the retention of the service
provider in accordance with the due diligence requirements of the
proposed rule with a manner and frequency such that the adviser can
reasonably determine that it is appropriate to continue to outsource
the covered function and that it remains appropriate to outsource it to
the service provider.\67\ Monitoring is critical to an adviser's
ability to discover and address problems in a timely manner, continue
providing its advisory services to clients, and comply with the Federal
securities laws.\68\ For example, if an adviser is relying on a service
provider's robo advice platform, the adviser generally should monitor
to ensure that the platform continues to operate and adjust to client
inputs as the adviser understands it should perform. The proposed
monitoring obligation also helps to support an adviser's duty to
monitor a client's account over the course of the relationship.\69\
Therefore, it would be inappropriate for an adviser to take a ``set-it-
and-forget-it'' mentality when outsourcing a function or service that
the adviser has agreed to perform or would otherwise be performing
itself in order to provide its advisory services or to satisfy
compliance obligations.
---------------------------------------------------------------------------
\67\ See proposed rule 206(4)-11(a)(2).
\68\ See In the Matter of Virtus Investment Advisers, Inc.,
Investment Advisers Act Release No. 4266, at 7 (Nov. 16, 2015)
(settled order) (``Virtus had no written policies and procedures for
evaluating and monitoring the accuracy of third-party-produced
performance information or third-party marketing materials that
Virtus directly or indirectly circulated or distributed to other
persons.'').
\69\ See Standard of Conduct Release, supra footnote 21, at 72
(stating that the duty of care includes, among other things, the
duty to provide advice and monitoring over the course of the
advisory relationship).
---------------------------------------------------------------------------
When considering the manner and frequency of monitoring, an adviser
should be mindful that it remains liable for its obligations, including
under the Advisers Act, other Federal securities laws and any contract
entered into with the client, even if the adviser outsources functions.
If an adviser cannot sufficiently monitor a service provider, or is
concerned that the service provider's actions or inactions may harm the
adviser's clients or result in a regulatory violation, then the adviser
may need to terminate the service provider relationship if possible. In
such an instance, an adviser generally should be cognizant of any
contractual limitations with a service provider that may impose
additional risks on the adviser's clients or otherwise affect the
adviser's analysis of whether to terminate the relationship.
The proposed monitoring requirement leverages processes similar to
due diligence, which we have stated above is not a one-size-fits-all
analysis. Thus, all monitoring generally should continue to take into
account all of the required elements for due diligence, including the
nature and scope of the service provider's services as well as the
risks of engaging the particular service provider performing that
function. The adviser generally should periodically evaluate the
validity of its conclusions drawn during the initial due diligence
process, and should adjust its monitoring to reflect changes in the
functions or services the service provider is engaged to perform,
industry or market changes that may affect the covered function, and
also adjust to reflect the findings of any preceding monitoring. In
order to continue outsourcing the service or function to the service
provider, the adviser should be able to determine reasonably that the
outsourcing remains appropriate.
The proposed rule would require an adviser to monitor its service
providers with a manner and frequency such that the adviser reasonably
determines that it is appropriate to continue (i) to outsource the
covered function and (ii) to outsource to the service provider. The
manner and frequency of an adviser's monitoring would depend on the
facts and circumstances applicable to the covered function, such as the
materiality and criticality of the outsourced function to the ongoing
business of the adviser and its clients.\70\ For example, certain
functions may require periodic onsite visits where other services may
be monitored remotely. Methods of monitoring could include, for
example, automated scans or reviews of service provider data feeds,
periodic meetings with the provider to review service metrics, or
contractual obligations to test and approve new systems prior to
implementation. The frequency of an
[[Page 68834]]
adviser's periodic monitoring also would be subject to factors such as
the frequency with which the covered function is conducted, the
complexity of the function, or the risk to clients of a failure to
perform or of negligently performing the function.
---------------------------------------------------------------------------
\70\ The Commission similarly concluded that different
frequencies of the required periodic re-assessment of valuation
risks may be appropriate for different funds or risks. See Good
Faith Determinations of Fair Value, Investment Company Act Release
No. 34128 at 14 (Dec. 3, 2020) [86 FR 748 (Jan. 6, 2021)].
---------------------------------------------------------------------------
In determining an appropriate frequency of monitoring, advisers
should consider whether there has been any change in the risk profile
of the covered function or the service provider. For example, if a
service provider announced significant layoffs of personnel, then it
may be necessary for the adviser to increase temporarily or permanently
the frequency and alter the manner of its monitoring to determine
whether the service provider continues to have the competence,
capacity, and resources necessary to perform the covered function in a
timely and effective manner. Alternatively, if new laws or regulations
were implemented that affected a specific function, then it similarly
may be necessary to alter temporarily or permanently the frequency and
manner of monitoring to determine that the service provider continues
to perform its services properly.
1. Recordkeeping Provisions Related to Monitoring
Finally, the proposal would amend the Advisers Act books and
records rule to require advisers to make and keep records documenting
the periodic monitoring of a service provider of a covered
function.\71\ Advisers generally should consider including information
such as performance reports received from the service provider, the
time, location, and summary of findings of any financial, operational,
or third-party assessments of the service provider, identification of
any new or increased service provider risks and a summary of how the
adviser will mitigate or manage those risks, any amendments to written
agreements with a service provider, the adviser's written policies and
procedures applicable to monitoring, a record of any changes to the
nature and scope of the covered function the service provider is to
perform, and a record of any inadequate or failed performance by a
service provider of a covered function and responses from the adviser.
The records would have to be maintained in an easily accessible place
while the adviser outsources the covered function and for a period of
five years after the adviser ceases outsourcing the covered
function.\72\ Like other proposed amendments to the books and records
rule, this aspect of the proposal is designed to facilitate our staff's
ability to assess an adviser's compliance with the proposed rule. We
believe it would similarly enhance an adviser's compliance efforts as
well.
---------------------------------------------------------------------------
\71\ See proposed rule 204-2(a)(24)(iv).
\72\ See proposed rule 204-2(e)(4).
---------------------------------------------------------------------------
We request comment on all aspects of the proposed monitoring
requirement, including the following items:
50. Should we adopt the monitoring requirements as proposed? Are
there other aspects of monitoring that should be required under the
rule? Conversely, should we exclude any of the proposed monitoring
requirements from the rule?
51. Should we prescribe the frequency of monitoring instead of
requiring an adviser to monitor its service providers with a manner and
frequency such that the adviser reasonably determines that it is
appropriate to continue to outsource the covered function and to
outsource to the service provider, as proposed? Or should we prescribe
a minimum frequency of monitoring? For example should we require that
monitoring of service providers be conducted monthly? Quarterly? No
less than annually? Why or why not?
52. As proposed, the rule requires that advisers make and maintain
records documenting the periodic monitoring of a service provider, but
it does not specify the specific records that must be maintained.
Should the rule identify specific records to be maintained? If so, what
records should be made and maintained and why? For example, should the
rule require retention of due diligence questionnaires, third party
audits, memos to file, or service provider reports?
53. Should we exempt certain categories of advisers or service
providers from the proposed monitoring requirements, such as smaller or
newer advisers or service providers? If so, which ones and why?
Alternatively, should we provide for scaled monitoring requirements by
any of these categories of advisers, and if so, how?
54. Should we prescribe the manner in which monitoring is
conducted? For example, should we require that advisers conduct onsite
visits of service providers on a periodic basis, or that advisers
require periodic written certifications of compliance on a periodic
basis, or engage third-party experts to conduct formal reviews? Why or
why not? Are there any other monitoring actions that we should require?
55. Should the proposed monitoring books and records amendments be
expanded or limited in any way? If so, how?
D. Form ADV
Data collected from Form ADV is of critical importance to our
regulatory program and our ability to protect clients and
investors.\73\ We use information reported to us on Form ADV Part 1A
for a number of purposes, one of which is to allocate our examination
resources efficiently based on the risks we discern or the
identification of common business activities from information provided
by advisers. The data disclosed in Form ADV Part 1A is structured such
that it is readily used to create risk profiles of investment advisers
and permits our examiners to prepare better for, and more efficiently
conduct, their examinations. Moreover, the information in Form ADV Part
1A allows us to understand better the investment advisory industry as
well as evaluate and form regulatory policies and improve the
efficiency and effectiveness of the Commission's oversight of markets
for investor protection.
---------------------------------------------------------------------------
\73\ Advisers use Form ADV to apply for registration with us
(Part 1A) or with state securities authorities (Part 1B), and must
keep it current by filing periodic amendments as long as they are
registered. See Advisers Act rules 203-1 and 204-1. Form ADV has
three parts. Part 1(A and B) of Form ADV provides regulators with
information to process registrations and to manage their regulatory
and examination programs. Part 2 is a uniform form used by
investment advisers registered with both the Commission and the
state securities authorities. See Instruction 2 of General
Instructions to Form ADV. Part 3: Form CRS describes the
requirements for a relationship summary. See General Instructions to
Form ADV. This release discusses proposed changes to Form ADV Part
1A. To the extent that state securities authorities consider making
similar changes that affect advisers registered with the states, we
would forward comments to the North American Securities
Administrators Association for consideration by the state securities
authorities.
---------------------------------------------------------------------------
To enhance our ability to oversee investment advisers and provide
additional public information about the use of service providers as
defined in proposed rule 206(4)-11, we are proposing to amend Form ADV
Part 1A to require registered advisers to identify their service
providers that perform covered functions, provide the location of the
office principally responsible for the covered functions, provide the
date they were first engaged to provide covered functions, and state
whether they are related persons of the adviser. For each of these
service providers, we would also require specific information that
would clarify the services or functions they provide.\74\ This
information would provide us with a better understanding of the
material services and functions that advisers
[[Page 68835]]
outsource to service providers, would help us better understand
potential broader market effects of outsourcing to service providers,
and would permit us to enhance our assessment of advisers' reliance on
service providers for purposes of targeting our examinations. The
information also would help us identify advisers' use of particular
service providers that may pose a risk to clients and investors, such
as in situations where we learn that a service provider experiences a
significant and ongoing disruption to its operations. Finally, the
information would provide public information about advisers' use of
third party service providers.
---------------------------------------------------------------------------
\74\ See proposed Form ADV, Part 1A, Item 7.C., and Section 7.C.
of Schedule D.
---------------------------------------------------------------------------
This new reporting item would appear in Item 7 of Form ADV and
consistent with the scope of proposed rule 206(4)-11, would only
require reporting by investment advisers registered or required to be
registered with the Commission.\75\ Currently, Item 7 requires advisers
to disclose information about financial industry affiliations and
activities, and to state whether they advise any private funds, and if
so, provide certain information related to those private funds.\76\ New
Item 7.C. would require SEC-registered advisers to check a box to
indicate whether they outsourced any covered functions to a service
provider. The required reporting will be limited to covered functions
that are outsourced to service providers, as defined in proposed rule
206(4)-11(b).\77\ The determination of what is a covered function would
vary depending on the facts and circumstances and, as a result, some
advisers may report a service on Form ADV as a covered function while
other firms may not. For those services determined to be covered
functions and outsourced to one or more service providers, advisers
would report more detailed information about each such service provider
in new Section 7.C. of Schedule D. This would include the legal and
primary business names of the service provider, the legal entity
identifier (if applicable), and the address of the service provider.
Having this identifying information for each listed service provider
would give us a more complete picture of the extent to which the
adviser's operations depend on one or more service providers, and help
us consider the potential effects in the event of an industry wide
failure by a particular service provider.
---------------------------------------------------------------------------
\75\ See proposed rule 206(4)-11(a). We are also proposing
conforming amendments to Form ADV Part 1A, General Instructions and
Glossary of Terms. Because Form ADV Part 1A is submitted in a
structured, XML-based data language specific to that Form, the
information in proposed new Item 7.C would be structured (i.e.,
machine-readable) as well. Advisers submitting an other-than-annual
amendment to Form ADV Part 1 would not be required to update their
responses to Item 7.C, even if the responses to those items have
become inaccurate, which is consistent with the updating
requirements for the rest of Item 7. See Instruction 4 to General
Instructions to Form ADV.
\76\ These new Form ADV reporting requirements are being
proposed in conjunction with proposed Rule 206(4)-11. Proposed rule
206(4)-11 would not apply to exempt reporting advisers, and
therefore proposed Item 7.C. would not apply to exempt reporting
advisers. We believe that requiring only investment advisers
registered or required to be registered to complete the items we
propose appropriately enhances our ability to oversee investment
advisers that are subject to the proposed rule and enhances client
and investor disclosure as it relates to the proposed rule.
\77\ See also proposed rule 204-2(a)(24)(i) (requiring a record
of covered functions that the adviser has outsourced to a service
provider).
---------------------------------------------------------------------------
Section 7.C. also would require noting whether the identified
service provider is a related person \78\ of the adviser, and noting
the date the service provider was first engaged. Both of these data
points would be helpful to us in conducting our risk assessments for
developing and targeting examinations. Knowing whether a service
provider is a related person would assist us and clients or investors
in understanding the conflicts of interest that may be present, and
would also assist in understanding better the potential impacts of a
service provider's non-performance or negligent performance. Finally,
Section 7.C. would require an adviser to report those covered functions
or services the service provider is actively engaged in providing from
predetermined categories of covered functions or services set forth in
the item. The non-exhaustive list of categories is intended to
encompass those services or functions that may be commonly outsourced
and could fall within the definition of a covered function. If the
service or function performed by the service provider was not
represented in a predetermined category, the adviser would be permitted
to select ``other'' with a free form field to identify the unlisted
category. The covered function categories that we are proposing to
include in Item 7.C of Schedule D are: Adviser/Subadviser; Client
Services; Cybersecurity; Investment Guideline/Restriction Compliance;
Investment Risk; Portfolio Management (excluding Adviser/Subadviser);
Portfolio Accounting; Pricing ; Reconciliation; Regulatory Compliance;
Trading Desk; Trade Communication and Allocation; Valuation; and Other.
For example, we believe regulatory compliance would generally include
outsourced chief compliance officer and other compliance consultant
functions.
---------------------------------------------------------------------------
\78\ See Glossary of Terms to Form ADV. A related person
includes ``[a]ny advisory affiliate and any person that is under
common control with your firm.''
---------------------------------------------------------------------------
This proposed disclosure would improve our ability to assess
service provider conflicts for those service providers that perform a
covered function as defined by the proposed rule, and could serve as an
input to the risk metrics by which our staff identifies potential risk
and allocates examination resources. The staff conducts similar
analyses today, but have limited inputs, which constrains their
effectiveness. For instance, it would be relevant to us to identify
easily advisers using a service provider that we are separately
investigating for involvement in alleged misconduct. The ability to
identify readily other advisers using such a service provider would
allow us to assess quickly and take appropriate actions. The proposed
disclosure would also improve our ability to evaluate the adequacy and
completeness of advisers' conflicts of interest disclosures by
identifying additional potential sources of conflict.
The information would be publicly available as is other information
on Form ADV, and we believe it may benefit the public in supplementing
the information available about the adviser and may provide investors
with additional context in which to consider an investment adviser's
provision of advisory services. The public would be able to identify
quickly and consider any implications of an adviser's use of one or
more service providers or the outsourcing of any service or function.
For example, if a client learns of a significant disruption at a major
service provider, that client could easily and quickly determine
whether its adviser uses that service provider for a service or
function the client considers material and whether to take remedial
action.
We request comment on the proposed Form ADV requirements:
56. Are the proposed requirements to disclose service providers
that perform a covered function as defined in rule 206(4)-11
appropriate? Should we instead require all registered advisers that
outsource any services to provide the specified information and then
mark each service to indicate whether it is a covered function within
rule 206(4)-11 or not? Or should we include a broader Form ADV
reporting requirement, such as requiring all advisers (e.g., exempt
reporting advisers and advisers registering with state securities
authorities) to provide the specified information regarding any
outsourced service or function or only those that are subject to rule
206(4)-11 or any substantially similar regulation?
[[Page 68836]]
57. Do commenters agree with the proposed list of covered functions
categories under Section 7.C of Schedule D? Do the proposed categories
adequately capture the range of covered functions? Are the categories
understandable? If not, which categories require additional
explanation? Should we add or remove any categories? If so, please
identify the category and explain why the change is appropriate. For
example, should we include additional categories relating to investment
data/analytics, information technology (e.g., IT infrastructure or
application software and support), or middle and back office functions
(e.g., client reporting and/or billing, performance measurement,
collateral management, post-trade processing, etc.)? Alternatively,
should the categories be consolidated (e.g., pricing and valuation),
retitled or otherwise revised? For example, do commenters agree that
regulatory compliance would generally include such services as
outsourced chief compliance officer and other compliance consultant
functions? If not, how should the category be revised to encompass
these types of outsourced functions?
58. Should we require additional or different reporting with
respect to service providers that perform functions related to books
and records required under rule 204-2? If so, how should reporting
requirements be changed for these service providers and/or what
additional information should be reported?
59. Do advisers have concerns with the public disclosure of service
providers that perform covered functions? If so, what are those
concerns? For example, are there categories of service providers that
should not be disclosed publicly due to competitive, trade secret,
compliance, or other risks? Should we require such disclosure to be
reported non-publicly to the Commission in a format other than the Form
ADV? If so, how?
60. Should the proposed ADV disclosure include the ability to
incorporate by reference to other parts of the form? For example,
should we allow advisers to cross reference private fund service
providers that are currently required to be disclosed in Section 7.B.
of Schedule D?
61. Are the proposed definitions of ``covered function'' and
``service provider'' in the Glossary of Terms to Form ADV appropriate?
Do commenters agree that these defined terms should cross-reference
proposed rule 206(4)-11(b)? Alternatively, should we provide the full
text of each term, as defined in proposed rule 206(4)-11(b), in the
Glossary of Terms to Form ADV without cross-reference to the proposed
rule?
62. Would any additional or other information be material to an
adviser's clients or prospective clients regarding outsourcing that is
not included in the proposal and is not currently disclosed to
investors through Form ADV or elsewhere (e.g., whether the service
provider arrangement is subject to a written agreement or information
about passed-through fees)? Should we add any other service provider
information to the Form ADV disclosure? If so, what information and
why? For example, should Form ADV, Part 2 require information in the
adviser's brochure about the use of service providers and related
conflicts and other risks? Or is information about outsourced services
already adequately being disclosed in connection with disclosures
related to conflicts of interest or other risks? For example, should we
require disclosure of potential conflicts of interest of the service
provider? Should we require that, in addition or in place of the
service provider's principal office, advisers report the principal
office where the service provider's services are performed?
Alternatively, should we delete any of the service provider information
proposed to be disclosed? If so, what information and why?
63. Do advisers have concerns it will be difficult to compile,
maintain and disclose this information on service providers? Could this
place an undue burden on smaller advisers? If so, which information may
be difficult to compile, maintain and disclose? Please explain.
64. Should private fund advisers be required under rule 206(4)-11
to provide information about their service providers to private fund
investors through additional or different disclosure requirements in
Form ADV? If so, what information should be required?
65. Should we require advisers to add narrative disclosures about
their service providers in their Form ADV Part 2 brochures or wrap fee
program brochures? If so, what information should be included?
E. Third-Party Recordkeeping
Many investment advisers seek to outsource various recordkeeping
functions. Some of these functions may involve record creation, others
may focus solely on record storage and retention, and many will include
creation as well as storage and retention functions. Investment
advisers may contract with data- and record-management companies,
offsite storage companies, or information technology companies (e.g.,
cloud service providers) to store or retain records. An adviser may
also rely on a third party to perform a function that creates records,
such as a firm that calculates performance or rates of return for one
or more portfolios that the adviser may use to manage the investments
in the portfolios, include in statements to clients or marketing
materials provided to prospective clients, or show on its website.
While the performance calculation provider's primary function is to
calculate performance, this provider relies on records and data that
substantiate the performance calculations and, in turn, those
calculations create new records that need to be stored and retained. As
another example, if a service provider were providing accounting,
investment operations, or middle office services for the adviser, many
of the records generated by the service provider would likely
correspond to records that the existing Federal securities laws require
registered investment advisers to make and keep.\79\ An adviser
therefore may not directly possess all of the documentation and records
that are required to be created or maintained by an investment adviser
under the existing Federal securities law requirements.
---------------------------------------------------------------------------
\79\ See, e.g., rule 204-2(a), which requires registered
advisers to maintain, among other things, journals, ledgers, check
books, memorandums of each order given for the purchase or sale of a
security, and bills or statements relating to the business of the
adviser.
---------------------------------------------------------------------------
The continuing accessibility and integrity of adviser records are
critical to the fulfillment of our oversight responsibilities, where
such records may represent a primary means in which to demonstrate an
investment adviser's compliance with various Federal securities laws.
If advisers are not required to protect their records from inadvertent
or intentional alteration or destruction and provide examiners with
meaningful access to all required records, then the records become
unreliable, and the examination process may be impaired. Recordkeeping
requirements ensure that the Commission staff will have access to
appropriate and helpful information in order to carry out its
examination program. The ability to conduct timely and comprehensive
examinations plays a significant role in proactively promoting
compliance with the Federal securities laws and aids in preventing
problems before they occur as well as promoting improvements in
relevant areas.
Accessing records also can be critical for an investment adviser to
provide advisory services and fulfill its fiduciary
[[Page 68837]]
duty to clients. For example, accessing account information from prior
periods can help an investment adviser substantiate portfolio
performance that has been presented to prospective clients.\80\ Issues
arising with an investment adviser's books and records can disrupt the
adviser's ability to provide its services and may result in material
harm to its clients. For example, if an adviser engages a cloud
services provider to maintain critical client information, such as
their account and personal information, and the cloud services provider
inadvertently experiences a loss of client records, this would be
reasonably likely to cause a material negative impact on the adviser's
ability to provide its services and on its advisory clients. The
adviser would either have no records or inaccurate records to verify,
for example, the client's account information. The adviser might not
have all the records it needs to execute certain investments or make
other decisions on behalf of its client. In addition, if the adviser
does not have accurate and timely information on client holdings and
transactions, this could result in misinformed purchase or sales
decisions as well as trade errors. The adviser may also lack the
trading information to be able to report to its clients or track its
trading activity in the portfolio, and, in turn, that could deprive
clients and the adviser an opportunity to respond to market changes or
timely remedy potential issues with the broker-dealer or custodian
involving the trades. An investment adviser's compliance monitoring and
internal audit functions also require timely access to records in order
to function efficiently, such as when monitoring portfolio
diversification and other client investment guidelines. As another
example, accessing communication records regarding trade order
execution may assist with monitoring whether an investment adviser is
adhering to its own written policies and procedures concerning best
execution.
---------------------------------------------------------------------------
\80\ Advisers generally should consider the specific retention
periods for each type of record, such as records to substantiate a
performance track record pursuant to rule 204-2(a)(16), and require
all records to be available for the necessary retention periods.
Advisers or their third parties relying on custodian statements, for
example, to document data used in performance calculations may wish
to consider retaining copies of such statements in the event the
adviser no longer has access to the custodian's systems for a
specific client's account.
---------------------------------------------------------------------------
When an adviser outsources recordkeeping functions without
sufficient oversight, the risk that an issue with an adviser's books
and records may arise can increase. Regardless of whether records are
made or kept by a third party or by the investment adviser directly,
the investment adviser remains responsible to comply with the Advisers
Act recordkeeping requirements and other Federal securities laws. Rule
204-2, the Advisers Act recordkeeping rule, details the types of
records required to be made and kept ``true, accurate and current'' as
well as the manner, location, and duration of records to be maintained
by investment advisers registered or required to be registered with the
Commission. It does not, however, prescribe requirements for when an
adviser outsources one or more of the required recordkeeping functions
to a third party.
Accordingly, the proposed amendments to the Advisers Act
recordkeeping rule include a new provision requiring every investment
adviser that relies on a third party to make and/or keep any books and
records required by the recordkeeping rule (``recordkeeping function'')
to comply with a comprehensive oversight framework, consisting of due
diligence, monitoring, and recordkeeping elements.\81\ Specifically, an
investment adviser would be required to perform due diligence and
monitoring as prescribed by proposed rule 206(4)-11(a)(1) and (a)(2)
with respect to the recordkeeping function and make and keep such
records as prescribed in proposed rule 204-2(a)(24) as though the
recordkeeping function were a ``covered function'' and the third party
were a ``service provider,'' each as defined in proposed rule 206(4)-
11(b). In addition, an investment adviser relying on a third party for
such recordkeeping functions would also be required to obtain
reasonable assurances that the third party will meet four specific
standards related to the recordkeeping rule's requirements.
---------------------------------------------------------------------------
\81\ See supra sections II.B and II.C; proposed rule 204-
2(l)(1); proposed rule 206(4)-11(a).
---------------------------------------------------------------------------
The proposed amendments would provide a comprehensive oversight
framework for third-party recordkeepers to protect against loss,
alteration, or destruction of an adviser's records, and to help ensure
that those records are accessible to the investment adviser as well as
Commission staff. The proposed amendments would require advisers to
conduct reasonable due diligence before engaging a third party to
perform a recordkeeping function required by the recordkeeping
rule.\82\ Specifically, an investment adviser would be required to
reasonably identify and determine through due diligence that it would
be appropriate to outsource the recordkeeping, and that it would be
appropriate to select a particular third-party recordkeeper, by
complying with each of the six due diligence elements specified in
proposed rule 206(4)-11(a)(1). These elements address: the nature and
scope of the services; potential risks resulting from the third-party
recordkeeper performing the recordkeeping function, including how to
mitigate and manage such risks; the recordkeeper's competence,
capacity, and resources necessary to perform the function; the
recordkeeper's subcontracting arrangements related to the function;
coordination with the recordkeeper for Federal securities law
compliance; and the orderly termination of the provision of the
function by the recordkeeper.
---------------------------------------------------------------------------
\82\ See proposed rule 204-2(l)(1).
---------------------------------------------------------------------------
Consistent with these requirements, an adviser's due diligence of a
third-party recordkeeper generally should be tailored reasonably to the
nature, scope, and risk profile of the recordkeeping function or
service that would be provided as well as to the identified third
party. For example, the adviser generally should consider whether the
particular third-party recordkeeper has the capability and experience
to both make and maintain the required records in a format that is
consistent with an adviser's books and records requirements. Therefore,
the required due diligence of an adviser seeking to engage a third-
party cloud provider to make and keep records on behalf of the adviser
should take into account the third party's competence, capacity, and
resources generally, but the adviser may not need to understand the
intricacies of the cloud service's operations. The adviser generally
should have a reasonable understanding of the cloud service and the
risks of the service, and be able to conclude that it can mitigate and
manage those risks. In conducting this due diligence, the adviser could
review factors such as:
<bullet> Comparative cloud-based recordkeeping services, including
their respective parameters, benefits, and risks,
<bullet> The cloud service provider's capability and experience
with making and/or keeping records required under the recordkeeping
rule,
<bullet> The cloud service's compliance and operational policies
and procedures for the protection of data, and its policies and
procedures addressing the maintenance and oversight of the data,
<bullet> The cloud service's prevention and detection of, and
response to, cybersecurity threats, and
<bullet> The experience or lack thereof of other similarly situated
advisers that
[[Page 68838]]
have previously engaged the cloud service and any risks identified in
those experiences or lack thereof.
Once a third party is engaged to provide recordkeeping functions
required by the recordkeeping rule, proposed rule 204-2(l) would
require the adviser to monitor the third party's performance of the
recordkeeping function periodically and reassess the retention of the
third party in accordance with the monitoring requirements prescribed
by proposed rule 206(4)-11(a)(2). Monitoring third-party recordkeepers
is critical to an adviser's ability to discover and address issues
relating to the adviser's records in a timely fashion before such
records may be inadvertently altered, lost or destroyed or otherwise
rendered inaccessible. As discussed in section II.C above, the manner
and frequency of an adviser's monitoring would depend on the facts and
circumstances applicable to the recordkeeping function. For example,
sufficient monitoring of an off-site physical record storage company
may reasonably differ from that of an electronic media storage company
due to the inherent differences in the nature and scope of their
respective functions.
Further, an investment adviser would be required to comply with the
attendant recordkeeping requirements prescribed in proposed rule 204-
2(a)(24) with respect to such functions. Thus, in addition to
performing the required due diligence and monitoring for a third party
recordkeeping, an adviser would also be required to make and keep
records documenting its due diligence and periodic monitoring of that
third party as though the recordkeeping function were a ``covered
function'' and the third party were a ``service provider'', each as
defined in proposed rule 206(4)-11(b).\83\ Requiring an adviser to make
and keep records of its oversight of third-party recordkeepers is
intended to enhance an adviser's compliance efforts and facilitate the
Commission's inspection and enforcement capabilities.
---------------------------------------------------------------------------
\83\ See proposed rule 204-2(a)(24)(ii).
---------------------------------------------------------------------------
In addition to due diligence and monitoring obligations, an
investment adviser that relies on a third party to perform any
recordkeeping function under rule 204-2 would be required to obtain
reasonable assurances that the third party will meet four standards
specific to recordkeeping.\84\ First, the adviser must have reasonable
assurance that the third party will adopt and implement internal
processes and/or systems for making and/or keeping records on behalf of
the investment adviser that meet all of the requirements of the
recordkeeping rule. Second, the adviser must have reasonable assurance
that, when making and/or keeping records on behalf of the adviser, the
third party will, in practice, actually make and/or keep records in a
manner that will meet all of the requirements of the recordkeeping rule
as applicable to the investment adviser. Third, for electronic records,
the adviser must have reasonable assurance that the third party will
allow the investment adviser and Commission staff to access the records
easily through computers or systems during the required retention
period of the recordkeeping rule. Whether computers or systems satisfy
this provision of the rule would be determined based on the facts and
circumstances, and could include, for example, computers and
proprietary systems owned and operated by an adviser as well as
computers and systems rented, licensed or otherwise made available to
an adviser (e.g., web portals, cloud computing, storage area networks,
and electronic recordkeeping systems) which may be used to access such
electronic records. Fourth, the adviser must have reasonable assurance
that arrangements will be made to ensure the continued availability of
records that will meet all of the requirements of the recordkeeping
rule as applicable to the investment adviser in the event that the
third party ceases operations or the relationship with the investment
adviser is terminated.\85\
---------------------------------------------------------------------------
\84\ See proposed rule 204-2(l)(2).
\85\ The Commission staff has previously addressed third-party
recordkeeping subject to certain conditions in staff letters. See,
e.g., First Call NAL, supra footnote 25; OMGEO NAL, supra footnote
25.
---------------------------------------------------------------------------
These standards, coupled with the prescribed due diligence and
monitoring requirements, are intended to assist with making and keeping
true, accurate, and current records of the adviser, protect those
records from loss, alteration, or destruction, and ensure that those
records are accessible to the investment adviser and the Commission
staff, while maintaining appropriate freedom for investment advisers to
contract with service providers to assist with recordkeeping functions.
We expect that the arrangements between investment advisers and service
providers for recordkeeping services may vary significantly among firms
due to differences in the structure, operation, or scope of services
amongst investment advisers and service providers.
Whether an investment adviser's arrangement with a third-party
service provider satisfies the requirements under proposed rule 204-
2(l)(2) would depend on the particular facts and circumstances of the
arrangement including, among other things, the type of record, where
the records are located, the medium and method of storage, and how
promptly records or copies of records can be provided. When a third
party is retained to assist with recordkeeping, the making and keeping
of records still must satisfy the applicable requirements prescribed by
rule 204-2. Thus, the adviser must obtain reasonable assurance that the
third party will adopt and implement internal processes and/or systems
for both making and keeping records on behalf of the investment adviser
that meet the applicable requirements of rule 204-2.\86\ For example,
rule 204-2(g) permits an investment adviser to maintain records
electronically as long as certain requirements are met, including that
the adviser shall, upon request, promptly provide the Commission
legible, true, and complete copies of records in the medium and format
in which they are stored, printouts of such records, and a means to
access, view, and print the records. Therefore, under proposed rule
204-2(l)(2), where a service provider will keep email archives (e.g.,
in cloud storage or an external storage database) on behalf of an
investment adviser, the adviser should have reasonable assurance that
the service provider will, among other things, adopt and implement
internal processes and/or systems for making and/or keeping the records
in such a manner to enable a prompt response to Commission requests for
such records in the format required.\87\ We are aware of instances
where advisers engage a third party to learn only later that the third
party cannot produce required records in a reviewable format. These are
issues that should be identified and addressed before a third-party
recordkeeper is engaged.
---------------------------------------------------------------------------
\86\ See proposed rule 204-2(l)(2)(i).
\87\ See proposed rule 204-2(l); 17 CRF 275.204-2(g)(2)(ii).
---------------------------------------------------------------------------
The recordkeeping rule also addresses the location and length of
time that required records under the rule must be maintained. Rule 204-
2 generally requires that, among other things, such records be
maintained and preserved in an easily accessible place and, for a
period of time, in an appropriate office of the investment adviser.\88\
Consistent with these requirements, if an adviser outsources the
storage of records under the recordkeeping rule, the adviser should
seek to ensure that those records
[[Page 68839]]
will be easily accessible for the duration of the required retention
period. For example, if an investment adviser retains an off-site
physical storage company to assist with maintaining physical records of
records such as trade confirmations, those records should be maintained
in an appropriate office of the adviser for the applicable period
first, and then when the records are moved to the off-site location,
they must be maintained in an easily accessible place.\89\ For
electronic records, the proposed amendments would require an investment
adviser to have the ability to access electronic records easily through
computers/systems because such required records may be stored on
servers or other storage devices that are owned or operated by a third
party (e.g., a cloud service provider).\90\ However, pursuant to rule
204-2, the records still must be available in the adviser's office for
a period of time.\91\ The computers and/or systems that provide access
to the required records could include computers and proprietary systems
owned and operated by an adviser as well as computers and systems
rented, licensed or otherwise made available to an adviser (e.g., web
portals, cloud computing, storage area networks, and electronic
recordkeeping systems). This element of the proposed amendments is
intended to safeguard an investment adviser's access to its required
records while providing firms with the ability to use electronic
platforms to make and keep their records. If an adviser has essentially
immediate access to a record through a computer or system located at an
appropriate office of the adviser, then that record could be considered
to be maintained at an appropriate office of the adviser.\92\ For
example, if an investment adviser relies on a service provider to store
trade confirmations in the service provider's electronic database, one
way the adviser could seek to ensure that the records will be easily
accessible would be to require access to the records at any time
through computers and/or systems for the record's required retention
period under rule 204-2.\93\ In addition, in such an arrangement, the
adviser should also seek to ensure such records are maintained in such
a manner to permit them to be promptly provided to the Commission upon
request.
---------------------------------------------------------------------------
\88\ See 17 CFR 275.204-2(e).
\89\ See rule 204-2(e).
\90\ See proposed rule 204-2(l)(2)(iii).
\91\ See rule 204-2(e).
\92\ See, e.g., First Call NAL, supra footnote 25.
\93\ See proposed rule 204-2(l)(2)(iii); see also, e.g., OMGEO
NAL, supra footnote 25.
---------------------------------------------------------------------------
When engaging a third party to provide recordkeeping services under
rule 204-2, the investment adviser should account for how to continue
to stay in compliance with the rule's requirements after termination of
the arrangement either by the adviser or the third party.\94\ Rule 204-
2(f) addresses circumstances where an investment adviser may
discontinue its business and requires, among other things, that the
adviser arrange for and be responsible for the preservation of required
records under the rule. Similarly, a service provider may also
discontinue its business or arrangement with an investment adviser. To
seek to protect records required by the recordkeeping rule against loss
and destruction when outsourced recordkeeping arrangements change or
terminate, we are proposing to require an investment adviser to obtain
reasonable assurance that a third party will make arrangements to
ensure the continued availability of the required records under the
recordkeeping rule as applicable to the adviser should the third party
cease operations or its relationship with the investment adviser be
terminated.\95\ For example, if an adviser were retaining records with
a cloud storage service provider, the adviser may consider requiring
that the cloud service provider agree to retain and grant the adviser
access to such records for the legally required amount of time.
Alternatively, the adviser may want to require that the service
provider agree to assist in the transfer of such records to the adviser
or another agreed-upon third party at the termination of the
contractual relationship. This would allow the adviser to continue to
retain such records in compliance with its legal obligations and
provide them to the Commission staff upon request.\96\
---------------------------------------------------------------------------
\94\ See 17 CFR 275.204-2(f); proposed rule 204-2(l)(2)(iv)).
\95\ See proposed rule 204-2(l)(2)(iv).
\96\ See proposed rule 204-2(l)(2)(iv).
---------------------------------------------------------------------------
While many investment advisers may already have service provider
agreements or other arrangements that contain these proposed standards
as part of their policies and procedures or best practices to mitigate
or manage risks the investment advisers identified when performing due
diligence and monitoring, we believe that all investment advisers
should obtain reasonable assurances that service
[…truncated; see source link]Indexed from Federal Register on November 16, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.