Regulatory convergence sees proposed SEC rules echo FCA outsourcing standards
By Dan Campbell; Andrew Poole , ACA Group
Published: 19 June 2023
In November 2022, the US Securities and Exchange Commission (SEC) released its proposed rule, Rule 206(4)-11, which prohibits registered investment advisers from outsourcing certain services or functions without first meeting minimum requirements. The proposed rule requires investment advisers to ensure that critical third-party service providers have the competence, capacity, and resources necessary to do their job before engagement and periodically confirm that this is still the case. The proposed rule also states advisers would need to maintain certain books and records evidencing due diligence efforts.
Service providers may perform several functions that relate to an adviser’s business. Supporting functions may include investment research and data analytics, trade and risk management, fund administration, outsourced IT support, and compliance. This new rule is set to introduce requirements concerning diligence and oversight of certain critical service providers that perform key functions, have access to sensitive information, and may store certain required records on behalf of the adviser.
Regulated firms in the UK have long been required to document the due diligence performed on vendors when considering outsourcing functions and, under certain circumstances, must inform the Financial Conduct Authority (FCA) of such outsourcing arrangements. These arrangements are defined as “material outsourcing” arrangements and are similar to those within the proposed SEC rules.
Key elements of the proposal
The proposed SEC rule applies to service providers that perform a ‘covered function’, which is defined as:
- A function or service that is necessary for the adviser to provide its investment advisory services in compliance with federal securities laws.
- Those functions that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or the adviser’s ability to provide investment advisory services.
In the proposed rule, the SEC provided the following examples for service providers that would and would not be performing covered functions:
- An adviser that enters into a written agreement with a valuation provider to value all of its clients’ fixed income securities would be considered a serviced provider under the proposed rule to perform a function necessary for the adviser to provide its advisory services.
- The proposed rule would not cover a custodian retained through a written agreement directly with a client because the adviser is not retaining the service provider to perform a function necessary for the adviser to provide its advisory services.
These definitions echo of the definition of “Material Outsourcing” in the FCA Handbook, namely being duties that a weakness or failure of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions. i.e., If the functions aren’t performed, a firm probably is not up to the required regulatory standards.
For a list of functions and related topics potentially covered under the SEC’s proposed rule, please see the “Recordkeeping and Form ADV” section below.
Regarding the second element of the proposed SEC definition, advisers should consider their service providers and determine potential material impacts if the service provider didn’t perform its functions or services adequately. The following example was provided:
“If an adviser used a service provider for portfolio management functions that experience a cyber-incident that caused an inability for the adviser to monitor risks in client portfolios properly, it would be reasonably likely to cause a material negative impact on the adviser’s clients and its ability to provide investment advisory services.”
The basic framework requires an initial determination to outsource, onboarding due diligence and ongoing monitoring, a process for ending the service provider relationship, and recordkeeping.
As with FCA requirements, an SEC registered adviser will have to “reasonably identify and determine” that outsourcing the covered function would be appropriate, addressing the following areas in their due diligence:
- Nature and scope of services;
- Potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks;
- Service providers’ competence, capacity, and resources necessary to perform the covered function;
- Service providers subcontracting arrangements related to the covered function;
- Coordination with the service provider for federal securities law compliance;
- The orderly termination of the service provider’s services.
The adviser must then determine that the service provider it selects is appropriately performing its function(s). This means periodically monitoring the service provider’s performance and reassessing if performance is as expected. The FCA also requires an assessment of the service provider’s financial stability and expertise.
Recordkeeping and Form ADV
The proposed rule includes changes to the recordkeeping rule to include:
A list of covered functions outsourced and service providers used;
Records documenting initial diligence and monitoring of each service provider; and
Advisers must obtain reasonable assurance that the service provider can meet four standards specific to recordkeeping:
a. Adopt and implement internal processes or systems for keeping records that meet the requirements of the recordkeeping rule applicable to the adviser;
b. Maintain records that meet the requirements of the recordkeeping rule applicable to the adviser;
c. Provide access to electronic records; and
d. Ensure the continued availability of records if the third party’s operations or relationship with the adviser ceases.
The proposed rule also includes amendments to Form ADV that require firms to disclose their outsourced service providers, indicating the functions the SEC considers covered.
Challenges for hedge fund managers
Smaller advisers will likely bear a greater burden as annual time and cost estimates for small advisers to comply with the new rule are thought to be close to 196 hours, with an aggregate cost of US$27,698,987(US$58,808 per small adviser). Small advisers have the greatest incentive and need for outsourcing, benefitting the most from it. Conversely, they also have fewer resources to comply with these prescriptive requirements.
Interestingly, the SEC acknowledges that determining whether an outsourced function is covered by the rule is complicated to do this initial analysis has a cost. Moreover, if advisers interpret covered functions too conservatively, they may spend more money performing extensive due diligence than required.
“This analysis may be particularly costly for certain functions for which it may require thorough investigation to evaluate whether the function is necessary for the adviser to provide investment advisory services, or for which it may require thorough investigation to evaluate whether there would be a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services if the function was not performed, or if performed negligently.”
One cost driver is analysing the performance of covered functions. Because this term is vague, firms will engage outside parties and experts to determine which third-party service providers meet this definition. The rule also includes other ambiguities, such as what it means to “reasonably identify and determine” the appropriateness of outsourcing the covered function. Advisers will also need to identify the risks involved in hiring the service provider and how to manage such risks. In addition to paying experts for advice on these issues, managers will remain at risk of incorrect interpretations.
The proposed rule includes reasonable language, similar to the Compliance Program Rule (Rule 206(4)-7); however, as shown by some SEC settlements citing violations of the Compliance Program Rule, the SEC has trended towards applying a stricter liability standard. There are other similar minefields to be considered, including whether a firm has sufficiently identified potential risks from the service provider performing the covered function and how to mitigate and manage such risks.
Another issue for advisers would be service providers providing “reasonable assurances” that they have processes or systems for keeping records meeting the Advisers Act recordkeeping requirements. Service providers may be reluctant to agree to such terms or would have to implement additional controls and procedures ultimately recouped through higher costs and fees passed onto managers. Service providers may also charge advisers to access records after the relationship is terminated.
In the event of the SEC adopting these proposed requirements, managers will need to create an inventory of current service providers and rank them based on their function within the investment management process. Firms would also need to include third parties that provide the following services:
- Assistance with monitoring investment guidelines and restrictions
- Client servicing
- Cyber security
- Fund administration
- Investment risk monitoring
- Portfolio accounting
- Portfolio management
- Regulatory compliance
- Technology that drives portfolio decisions
Managers will have to document why these services were outsourced and the criteria for selecting the specific providers.
In addition, a review of books and records maintained by third-party service providers will be required, and a determination if they would be able to produce records during an SEC examination. Moreover, firms would have to consider options should a service provider be terminated. Will the service provider download the records in a format accessible to the adviser prior to termination? Should the adviser consider periodic downloads of records to ensure its recordkeeping obligations are met? Managers will need to know the answers to these questions prior to SEC staff conducting examinations.
Finally, managers should consider if altering or removing clauses in investment agreements seeking to limit the liability associated with acts and omissions of an engaged third-party service provider puts them at odds with the intent of the proposed rule.
Working with a trusted and established outsourced provider with extensive policies, procedures and controls will be key to helping to address regulatory concerns and minimise potential issues.