Outsourcing by investment advisers: A comment letter on the SEC proposed rule

On Oct. 26, 2022, the Securities and Exchange Commission (SEC) proposed a new rule which would impose specific requirements on registered investment advisers which outsource functionality to third-party providers. In the press release announcing the proposed rule and associated amendments, SEC Chair Gary Gensler stated, “Though investment advisers have used third-party service providers for decades, their increasing use has led staff to make several recommendations to ensure advisers that use them continue to meet their obligations to the investing public. When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients. Thus, today’s proposal specifies requirements for investment advisers designed to ensure that advisers’ outsourcing is consistent with their obligations to clients.”

The comment period for the proposal remained open for 60 days, closing on Dec. 27, 2022. As a portfolio, COMPLY submitted comments on the proposal.

COMPLY does not believe that the proposed rule is necessary for several reasons. The SEC already has examination and enforcement powers to identify and call attention to the need for advisers to conduct regular and meaningful reviews of service providers. In our experience, advisers are not only well aware of risk alerts and enforcement cases involving poor oversight of service providers, but actively take appropriate steps to bring their own reviews in line with SEC expectation, based on each adviser’s specific practices. The only benefit listed in the Release that is currently not being met by these examination and enforcement powers is the ability to evaluate a service provider’s potential impact on a market event. This could be accomplished by including a census on Form ADV Part 1A.

COMPLY disagrees with the Commission’s determination that the use of an outsourced service provider is in and of itself a conflict of interest. In providing examples of why this situation presents a conflict, the Release states:

Outsourcing a service also presents a conflict of interest between an adviser providing a sufficient amount of oversight versus the costs of providing that oversight or the cost of the adviser providing the function itself.

That conflict exists for every function in an adviser’s business, whether outsourced or not. For example, an adviser must weigh the costs of using its own employees and staff to collect and review personal securities transactions versus outsourcing this function. The presumption that providing and supervising these services in-house is not a material conflict of interest but hiring an outside service provider and providing appropriate oversight of that service provider is a material conflict seems arbitrary at best.

While not included in its entirety, the below highlights some of COMPLY’s comments to specific questions included in the SEC proposal.

Is the proposed scope of the rule appropriate? Why or why not? In what ways, if any, could the proposed scope of the rule or the proposed definition of covered function better match our policy goals? Does it need to be made clearer?

Whether by expanding the definition of “covered function” or “service provider”, or by adding a definition of “outsourcing”, COMPLY recommends narrowing the scope of the rule.

First, the services to be covered by the rule should be those that are:

  1. Regular and continuous.
  2. Do not require the review and approval of the final product by the adviser.

Services that are regular and continuous typically take place outside of the adviser’s direct supervision, and so a regular review of the provider would make sense. An example of this type of service would be a third party’s creation and maintenance of an algorithm used by an adviser to manage client accounts. As it would be unreasonable and unwieldy to constantly review the algorithm, periodic review of the service provider is needed for the adviser to meet its fiduciary duty.

Services that require the adviser’s review and approval of the final work product receive a thorough review by the adviser whenever the work product is delivered and accepted. For example, when a compliance consultant prepares an annual updating amendment for an adviser, the adviser must review it and verify that the information in it is complete and correct. This should be outside the scope of the proposed rule. By contrast, a periodic vulnerability assessment of an adviser’s information technology systems conducted by a third party necessarily includes the conclusions and opinions of that third party, and so would not be subject to the adviser’s review and approval and should therefore be covered by the rule.

Instead of oversight requirements when an adviser outsources a covered function, should we only require Form ADV disclosure to clients and potential clients of any outsourcing of certain functions? Would it be sufficient for an adviser to disclose that it would outsource these services and not oversee them and would any reasonable investor agree to this approach? Or would a more limited approach to the oversight of service providers be appropriate instead of the proposed requirements? If so, what should that limited approach be?

COMPLY fundamentally disagrees with the Commission’s presumption that an investment adviser’s use of outside service providers to provide covered functions is necessarily a material conflict of interest. In fact, the Commission would be incenting those advisers without the volume of covered work to support hiring expert staff to accept lesser quality covered work simply to avoid a phantom conflict of interest.

Moreover, COMPLY believes that requiring disclosures about service providers are not needed, are not wanted by investors, and would make clients and prospective clients even less likely to actually read the Form ADV Part 2. The Release summarizes the purpose of Part 2 as follows:

To allow clients and prospective clients to evaluate the risks associated with a particular investment adviser, its business practices, and its investment strategies, it is essential that clients and prospective clients have clear disclosure that they are likely to read and understand. IA-3060 (emphasis added).

Institutional clients, who may actually have an interest in this information, can obtain it through interviews with the adviser, DDQs, and other means. Adding what would inevitably be several pages of additional disclosure that, even with the scrupulous use of plain English, would veer into the technical and more esoteric aspects of the advisory business, would only serve to make the Part 2A less welcoming (and therefore less helpful) to clients and prospective clients.

Moreover, disclosure would be burdensome for advisers. If, as the Release implies, the hiring and firing of a covered service provider is material to advisory clients, the Part 2A would not only have to be amended but the revised disclosure would need to be provided to current clients whenever the firm changed covered providers.

As noted in the Overview section of this letter (above), COMPLY has concluded that the only benefit listed in the Release that is currently not being met by the Commission’s examination and enforcement powers is the ability to evaluate a service provider’s potential impact on a market event. This could be accomplished by including a census on Form ADV Part 1A. That said, however, publicly providing this information could provide a covered service provider’s competitors with the means to specifically target that firm’s clients. COMPLY, therefore, recommends that the responses to this census be available only to the Commission or state securities regulators.

Finally, regardless of intent, COMPLY is concerned that the net effect of the rule as proposed would be to effectively exercise regulatory authority over service providers not under the Commission’s regulatory purview. It would be inappropriate for the Commission to do indirectly what it lacks the authority to do directly, and COMPLY encourages the Commission to avoid the repercussions of exceeding its authority in this way.

In addition to the proposed oversight requirements when an adviser outsources a covered function, should the rule include an express provision that prohibits an adviser from disclaiming liability when it is not performing a covered function itself?

No. In COMPLY’s experience, investment advisers are fully aware of their fiduciary duty and inability to relinquish it. Moreover, contracts between advisers and service providers include provisions regarding indemnification and limitations of liability. Therefore, this provision is not necessary.

Should we exempt certain service providers or covered functions from some or all of the due diligence requirements? If so, which service providers should we exempt, which due diligence requirements should we exempt, and why?

Taking a less prescriptive approach would likely make categorical exclusion of certain service providers or covered functions unnecessary. A risk-based approach, such as that already used by many advisers, allows the adviser to rank service providers and to direct its resources to those who present the most risk to the firm and/or its clients. As referenced in our response to Question 18, the degree to which advisers outsource covered functions varies greatly even at individual service providers, and certain functions, such as those that require review and approval by the adviser, do not necessarily require the same degree of oversight as, for example, those that the adviser delegates completely. Allowing advisers to determine which providers need more or less attention at any given time based on the facts and circumstances of the outsourcing arrangement, including the potentially changing scope of services and any third-party oversight, helps ensure the most efficient use of resources and management of risk.

The proposed rule is intended to provide flexibility to investment advisers in the methods they use to identify outsourcing risks. Should we dictate a specific method by which risks are identified? For example, should we require that investment advisers prioritize the identified risks and create a record of that prioritization?

Contrary to the stated intention of providing flexibility to investment advisers, COMPLY believes that the proposed rule is too prescriptive; dictating a specific method by which advisers would be required to identify risks would appear to further undermine the Commission’s stated intention of providing flexibility to investment advisers and is contrary to the principles-based regulatory framework that seems to have served clients and the industry well for many years. While not formally codified, the obligation of investment advisers to conduct and document an assessment of risk based upon its business model has been inferred from the Adopting Release IA-2204 of rule 206(4)-7 and has been underscored by the Commission’s requests for such information during examinations. In addition, the SEC’s proposed Cybersecurity Risk Management rule 206(4)-9 requires investment advisers to assess and document cybersecurity risks based on the nature and scope of their business and their specific cybersecurity risks. Given these existing precedents, it would appear that the most effective and flexible approach to risk assessment would be to allow investment advisers to continue to conduct risk assessments based on each firm’s business model and avoid mandating any specific method on all investment advisers.

Generally speaking, COMPLY stated, “it is unclear how the proposed rule will mitigate perceived problems with service provider oversight. An adviser whose oversight is insufficient to meet its fiduciary duty can already be detected through the examination process. Violations of the proposed rule, like violations of fiduciary duty, will only be discovered when an adviser is examined. The rule simply burdens advisers with new requirements to address issues that are already reviewed during an examination.

Other comments can be found on the SEC website.