Outsourcing by Investment Advisers – Comment Letter to SEC

Re:       Outsourcing by Investment Advisers (Release No. IA-6176; File No. S7-25-22)

Dear Ms. Countryman:

The New York City Bar Association’s Compliance Committee (the “Compliance Committee”) submits this letter in response to the request of the Securities and Exchange Commission (the “SEC” or the “Commission”) for comment on SEC Release Nos. IA-6176 (October 26, 2022) in which the Commission proposed rules with regard to outsourcing by investment advisers (the “Proposal”).  The Compliance Committee appreciates the opportunity to comment on the Commission’s Proposal.

The Compliance Committee membership includes many compliance professionals at various financial institutions, in addition to attorneys from law firms, in-house counsel and in-house compliance professionals, consultants, and representatives of federal and state law enforcement, regulatory, and government agencies. We believe the Compliance Committee’s diverse membership focused on the compliance function enables it to provide a thoughtful view on matters impacting the compliance function specifically and the financial community generally.

Introduction

The Commission has introduced proposed Rule 206(4)-11 (the “Proposed Rule”), which would require investment advisers registered or required to be registered to conduct due diligence on service providers to which investment advisers outsource “Covered Functions.”  The Proposed Rule also introduces periodic monitoring requirements, books and records obligations, and changes to Form ADV in connection with outsourcing.

In the Proposal, the Commission identified several risks associated with the outsourcing of Covered Functions by investment advisers, including disruptions in their ability to perform advisory services if certain outsourced service providers experience disruptions; poor oversight of service providers, potentially leading to financial losses for the investment adviser’s clients; risks related to a service provider’s conflicts of interests; inability to replicate services that are highly technical and broader market-wide and systemic risks.

The Compliance Committee recognizes the concerns expressed by the Commission regarding outsourcing.  However, the Compliance Committee does not believe that the Proposed Rule, as written, would effectively accomplish the Commission’s stated goals, and instead is likely to diminish opportunities to, or discourage investment advisers from, outsourcing functions that are best provided by independent third-parties with specific expertise.

In the first instance, the Compliance Committee believes that the definition of “Covered Function” is far too broad and subjective, and therefore recommends narrowing the definition and making it more specific.  The Compliance Committee also believes that the prescriptive due diligence requirements will be difficult to comply with in many cases and will almost certainly cause due diligence to be performed in a “check the box” manner, in many cases eroding the effectiveness of the practice.

The Compliance Committee is also concerned that the costs and time requirements imposed by the Proposed Rule will be difficult, if not impossible, for smaller investment advisers to bear, and consequently, will have the effect of decreasing available investment options for investors by creating barriers to entry for smaller investment advisers as well as exits and consolidation within the industry.

Finally, the Compliance Committee urges the Commission to reconsider whether the Proposed Rule is necessary at all in light of an investment adviser’s existing fiduciary duty of care, and evaluate whether the Commission can accomplish its objectives through other less prescriptive, less burdensome means, such as guidance or risk alerts, as the Commission has done in other contexts.  The Compliance Committee would applaud the Commission providing greater guidance to industry participants that encourages behaviors that are intended to mitigate risk through various means, including conducting periodic assessments and providing disclosures to clients and investors regarding risks and conflicts associated with the practice of outsourcing.  The Compliance Committee believes that these functions can and should be performed in the context of existing compliance programs and Rule 206(4)-7 reviews, which already contemplate the need to consider and diligence outsourced vendor relationships, rather than a prescriptive rule that will require entirely new policies and procedures, significant time commitments to assess existing and new relationships, annual upkeep, and potentially excessive and disparate disclosures in Form ADV.

Vagueness in the Definition of “Covered Function”

The Compliance Committee believes that the definition of “Covered Function” is too broad and subjective for investment advisers to fully understand their obligations under the Proposed Rule.  The first prong of the definition refers to functions that are “necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws.”  The second prong requires investment advisers to analyze whether the function, “if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.”  Investment advisers will have a difficult time determining what is “necessary” in this context and quantifying a “material negative impact.”

In the Proposal’s analysis, the Commission states that the results for individual investment advisers may vary depending on how investment advisers utilize the service providers.  As currently proposed, the Commission’s use of index providers as an example is emblematic of the vagueness of the definition of “Covered Function”.  The Compliance Committee believes that even in cases where an investment adviser uses an index provider in order to assist in formulating investment advice, not all investment advisers would agree that such use is “necessary” to perform investment advisory services in compliance with federal securities laws.  Some advisers may take the position that such use is helpful, but not necessary because the indices may comprise only a small portion of the investment adviser’s strategy.  Others may determine that because their investment adviser firm utilizes multiple index providers, the failure of any one index provider would not materially harm investors and would therefore not satisfy the second prong of the definition.  A prescriptive rule should not yield results where a definition that is central to compliance with the rule would be interpreted so inconsistently among those that are subject to the rule.

The Compliance Committee is concerned that the lack of specificity in the definition will force compliance teams to spend substantial amounts of time analyzing whether the services provided by various service providers are, in fact, “Covered Functions.”  Further, and perhaps of greater significance, without definitions that can be easily adapted we believe that investment advisers are likely to take the most conservative path and perform diligence in the prescriptive manner required by the Proposed Rule on all of their existing relationships, as well as all new relationships, in anticipation of being asked to demonstrate compliance in future routine examinations by the Commission.  Some investment advisers may outsource as many as 175 different service providers, ranging from technology, to trading platforms, to risk management, to compliance.

The Commission seems to acknowledge in its Proposal that the definition of Covered Function may be overbroad.  If the Commission were to move forward with this Proposed Rule, the Compliance Committee would recommend narrowing the definition by specifying particular “Covered Functions” that are core to investment decision making, as opposed to operational or technological functions, for example, sub-advisory relationships where a third-party adviser takes responsibility for trading a portion of the investment portfolio.  This approach would be preferential to a potentially broad list that could result in hundreds of different services being considered “Covered Functions” by different groups of investment advisers.  Further, a tailored approach would be aligned with the Commission’s directive that a compliance program be risk-adjusted for each adviser.  The Proposed Rule should encourage risked-based review and mitigation of issues.

Issues With Due Diligence Requirements

The Proposed Rule would require investment advisers to address six elements when conducting due diligence on service providers performing “Covered Functions”.  Investment advisers would be required to (i) identify the nature and scope of the “Covered Function”, (ii) conduct risk analysis, mitigation, and management, (iii) determine that the service provider has the competence to perform the “Covered Function” in a timely and effective manner, (iv) determine whether subcontracting arrangements exist that would be material to the performance of the “Covered Function”, (v) obtain reasonable assurances from the service provider that it will coordinate with the investment adviser for purpose of compliance with the federal securities laws, and (vi) ensure for orderly termination.

It is an important part of the compliance function for investment advisers to diligence and monitor their vendors.  As the Commission has indicated, diligence is integral to an investment adviser’s duty of care, and investment advisers retain ultimate responsibility for any outsourced functions.  However, the adoption of the Proposed Rule may have the unintended effect of lowering the quality of due diligence that is currently performed by investment advisers in multiple ways.  By requiring specific areas of diligence for all “Covered Functions”, and for all types of investment advisers, the Proposed Rule will incentivize investment advisers to conduct “check-the-box” universal due diligence, such as by preparing standardized questionnaires, rather than focusing on the specific risks that each vendor poses to the individual investment adviser.  This is contrary to the Commission’s oft-stated mandate for investment advisers to tailor their compliance programs to the unique risks of each adviser.

In addition, the Compliance Committee is concerned that in certain cases, investment advisers might not have internal expertise that would be sufficient to prepare meaningful questions (for example, with respect to outsourced technology providers) or analyze all of the elements that are being required by the Proposed Rule.  As a result, the Proposed Rule may encourage outsourcing due diligence to vendors specialized in conducting such diligence.  While outsourcing this function occurs today and could be appropriate in certain circumstances, a massive increase in investment advisers outsourcing the due diligence function could lead to even more standardization, which the Compliance Committee believes will undermine the stated goals of the Commission in the Proposal.  In the end, we believe that the Proposed Rule has the potential to cause investment advisers to perform more formulaic due diligence or outsource due diligence to a third party, and consequently fail to identify problematic vendors that could have been identified without prescriptive requirements.  By requiring specific areas of diligence for all “Covered Functions” that are not tailored to the advisor’s business, the Proposed Rule removes the need to conduct a risk assessment for service providers that provide “Covered Functions” and thereby inadvertently discourages (or excludes) the need to identify and mitigate firm specific risks (i.e., Advisors will spend too much time documenting an over broad inventory of service providers at the expense of careful attention to high risk vulnerabilities such as those related to its specific duty of care; for example, most importantly, when an advisor is sharing personal data, systems access, funding, MNPI or other similar scenarios),

Practical Impact of Proposed Rule

If the Proposed Rule is adopted as drafted, the Compliance Committee believes that all registered investment advisers would need to take the following steps:

• Conduct a full analysis of all existing third-party service providers in order to determine whether each service provider performs a “Covered Function.”
• Document that review process in order to demonstrate to the Commission upon exam that the investment advisor has complied with Rule 206(4)-11.
• With respect to service providers performing “Covered Functions”, create a due diligence questionnaire to be sent to such service providers in order to complete the six requirements for due diligence.
• Circulate that questionnaire to service providers and follow up to receive responses.
• Review the responses together with the applicable service provider agreement to ensure that the requirements are met, and if not, amend existing agreements to ensure compliance.
• Perform an annual review of each service provider performing “Covered Functions” and periodically circulate updated due diligence requests.

The Compliance Committee believes that the above steps will take substantial time and resources to complete, at great cost to investment advisers.  The impact of the Proposed Rule on smaller investment advisers could be insurmountable, as the Commission seems to acknowledge in the Proposal and considered in the requests for comment.  The Commission has recognized in the past, particularly in the Final Rule Release from 2004 in connection with Rule 206(4)-7, that smaller advisers would have increased costs as a result of proposed rules regarding the implementation of more formal compliance programs.  In that Rule Release, the Commission said that outsourcing would be a factor that would enable smaller advisers to control and minimize costs.  The Proposed Rule, however, would impose additional costs on their ability to outsource those functions.  If the Commission determines to move forward with the Proposed Rule, it should consider a blanket exception for investment advisers under a certain size.

Another practical consequence of the Proposed Rule is that service providers would be required to respond to voluminous, unpredictable, and potentially individualized due diligence requests from all affected investment advisers.  Service providers performing Covered Functions may not have existing internal resources that are sufficient to respond to such requests, or may resort to preparing form responses that will not provide meaningful ability for investment advisers to analyze responses to their due diligence requests.  If service providers would be forced to hire additional personnel to respond to a large volume of due diligence requests, or suffer other increases to expenses, the Compliance Committee is concerned that the availability or quality of outsourced services may be diminished, harming investment advisers, and ultimately investors, as a result of the significant overhead that providing services to the investment adviser industry will potentially require. The Proposed Rule will likely lead to consolidation in the market for outsourced service provision to investment advisers, decreasing competition and quality, and raising costs for investment advisers and, in turn, investors.

Comparison to Other Risk Based Compliance Initiatives

The Commission has recognized in the past that regimented compliance programs are not necessarily the most effective way to ensure compliance with federal securities laws.  In the Proposed Rule Release for Rule 206(4)-7, the Commission wrote that “funds and advisers are too varied in their operations for the Commission to impose a single list of required elements.  Each adviser should adopt policies and procedures that take into consideration the nature of each organization’s operations.”[1]  The Compliance Committee believes that the same philosophy applies to the practice of outsourcing.

By introducing a formal and prescriptive rule that will require investment advisers to conduct due diligence in a specific manner, rather than a risk-based approach that considers the business relationships applicable to each investment adviser, the Proposed Rule potentially undermines the goals and protections of 206(4)-7 and related compliance reviews.  The Proposed Rule, if adopted, will require a disproportionate amount of compliance time to be spent on potentially formulaic due diligence requests, rather than a thoughtful consideration of each service provider to whom functions are outsourced, appropriate and measured requests to address specific concerns, and meaningful disclosures to investors regarding the service providers that perform the most material functions and pose the most risk.

For example, providing guidance and relying on the annual 206(4)-7 review has been effective with respect to encouraging investment advisers to adopt and review business continuity plans, even without formal rulemaking.  The Commission’s Division of Examinations has stated in prior risk alerts (the “BCP Risk Alert”) that business continuity plan (“BCP”) reviews should be considered part of the annual review.   In a Risk Alert following Hurricane Sandy, the Commission stated that compliance policies and procedures “should include BCPs because an adviser’s fiduciary obligation to its clients includes taking steps to protect the clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.”[2]

In 2016, following the BCP Risk Alert, the Commission proposed Rule 206(4)-4, which would have required investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.[3]  Proposed Rule 206(4)-4 contained similar prescriptive requirements for BCPs relating to the content of such plans, but was never adopted.  In the BCP Risk Alert, the Division of Examinations observed that “advisers generally adopted and maintained written BCPs.  The degree of specificity of the advisers’ written BCPs varied.”  The Division of Examinations observed some weaknesses in BCPs that did not adequately address and anticipate widespread events.  However, the Division of Examinations noted in the BCP Risk Alert that “advisers should enhance and design the implementation of their BCPs by developing policies and procedures to address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods.”  Ultimately, even without the passage of Rule 206(4)-4, the Compliance Committee believes that the Commission’s guidance on business continuity has been effective in influencing investment advisers to adopt BCPs and review those plans on an annual basis in connection with their existing obligations under Rule 206(4)-7.

The same analysis should apply with respect to the inability of a material service provider to provide services, whether due to a natural disaster, an internal issue that the service provider is experiencing, such as a cybersecurity issue, or general competence.  Allowing investment advisers to make these assessments on a case-by-case basis, with the knowledge that the Commission will be focused on outsourced arrangements during examinations, would likely be sufficient to address some of the concerns expressed by the Commission in the Proposal.

Other government agencies or self-regulatory organizations in the United States have taken principle-based approaches to outsourcing services to third-parties.  For example, the Office of the Comptroller of the Currency (the “OCC”) has provided guidance on managing third-party relationships without imposing prescriptive rules on its constituents.[4]  In its guidance, the OCC states that “there is no one way for banks to structure their third-party risk management process.  OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships.”[5]  Similarly, the National Futures Association (“NFA”) issued an interpretive notice with respect to NFA Compliance Rule 2-9 and 2-36 regarding NFA members’ use of third-party service providers, in which the NFA did not create prescriptive rules, but rather requires NFA members to have a written supervisory framework that is tailored to meet general requirements established by the NFA.[6]  While the NFA’s guidance encourages many of the same practices contemplated by the Proposed Rule, including an initial risk assessment, onboarding due diligence, ongoing monitoring, notice requirements for termination, and recordkeeping, it is not a rule that would prohibit outsourcing unless all of these practices are met, but rather a principles-based approach intended to encourage good practices by NFA members.

The Compliance Committee encourages the Commission to issue guidance regarding outsourcing practices and then to utilize the Division of Examinations’ examination program to better analyze the current practices of investment advisers with respect to outsourcing.  This will enable the Commission to determine whether the Proposed Rule is necessary or whether the issued guidance would be sufficient to address the expressed concerns.  In the event that the Commission were to determine that a significant portion of the industry does not engage in sound practices with respect to outsourcing, the Compliance Committee believes that the Commission has existing tools at its disposal to correct such behaviors.

* * *

The Compliance Committee appreciates the opportunity to comment on the Proposal.  If we can be of any further assistance in this regard, please feel free to contact us.

Respectfully submitted,

Patrick T. Campbell
Co-Chair, Compliance Committee

Adam B. Felsenthal
Co-Chair, Compliance Committee

cc:

The Hon. Gary Gensler, Chairman
The Hon. Hester M. Peirce, Commissioner
The Hon. Caroline A. Crenshaw, Commissioner
The Hon. Mark T. Uyeda, Commissioner
The Hon. Jaime Lizárraga, Commissioner

Drafting Subcommittee:

The Compliance Committee is grateful to Brian Forman (Partner) and Tracy Sigal (Senior Counsel) from Morrison Cohen LLP for their assistance in drafting the letter, as well as Compliance Committee members Lawrence Block, AJ Bosco, Rory Cohen, Beth Haddock, Malikah Fulton, Scott Gluck, Howard Meyerson, Sharanya Mitchell and Devi Shanmugham.