Rules Navigator

Outsourcing by financial advisers to face closer oversight

Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A detailed look at SEC proposals to ensure due diligence and monitoring of outsourced service providers.

The US Securities and Exchange Commission has proposed new rules that will require investment advisers to conduct due diligence and monitoring of outsourcing service providers with which they wish to do business. The primary goal of the SEC is to ensure that IA clients receive the same level of fiduciary protection even with an increased use of service providers.

According to the SEC, investment adviser operations as well as the needs of their clients have become ever more complex over the last few decades. That is because an effective way in which to address operational complexity is to outsource certain discrete functions to specialist providers. As it has become possible to outsource an ever wider range of core functions, the SEC has grown concerned about the pervasive use of such services, as well as the fact that they are now integral to the fulfilments of investment advisers’ regulated obligations.

Core obligations

SEC Chair Gary Gensler recognizes that the use of outsourced services may be both efficient and cost effective, but makes it very clear that this “does not change an adviser’s core obligations to its clients”. Neither does outsourcing change the need to comply with securities laws and regulations.

The SEC’s proposed rules require advisers to “satisfy specific due diligence elements before retaining a service provider” and to “subsequently carry out periodic monitoring of the service provider’s performance”.

The requirement for due diligence and monitoring applies to “covered functions”. The definition of a covered function is quite broad and means “a function or service that is necessary for the investment adviser to provide its … services in compliance with the Federal securities laws” and one “that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact” on clients or the advisers ability to provide its services.

Covered functions

There is a useful list of covered functions in Schedule D of the newly proposed rules that specifies:

  • Adviser/Subadviser;
  • Client Servicing;
  • Cybersecurity;
  • Investment Guideline/Restriction Compliance;
  • Investment Risk;
  • Portfolio Management (excluding Adviser/Subadviser);
  • Portfolio Accounting;
  • Pricing;
  • Reconciliation;
  • Regulatory Compliance;
  • Trading Desk;
  • Trade Communication and Allocation; and
  • Valuation.

Under the new rules, before outsourcing the services, an adviser is required to conduct due diligence to show that it is both appropriate to outsource the covered function, and to employ the specific service provider selected. The due diligence must address six specific elements:

  • Nature and scope of services.
  • Potential risks including their management and mitigation.
  • The service provider’s competence, capacity and resources.
  • The service provider’s subcontracting arrangements.
  • Coordination with the service provider for securities law compliance.
  • Orderly termination of the function by the service provider.

In effect, the due diligence is intended to cover the full life cycle of an outsourcing arrangement, beginning with the scope of services that the arrangement is intended to cover, through the provision of those services and their relationship with the regulator, and to a realistic and ordered exit path.

Record keeping brought firmly into the scope of the rules

The SEC also singles out third-party record keeping for due diligence and monitoring under the proposed rules, which are intended to “provide a comprehensive oversight framework … to protect against loss, alteration, or destruction of an adviser’s records”. Record keepers are explicitly brought within scope of the new regime and the record keeping function is to be treated as if it were a “covered function”, with the record keeper a “service provider” as defined in the newly proposed rule.

The six elements in the due diligence framework identified above therefore apply to record keepers and, in addition, the SEC indicates that due diligence of this outsourced function should be tailored to its particular specifics. Advisers should consider the “capability and experience” of record keepers taking into account competence, capacity and resources generally.

In conducting its due diligence, the SEC expects the adviser to review the provider in order to assess the following factors:

  • Parameters, benefits, and risks of the services provided.
  • Capability and experience.
  • Compliance and operational policies and procedures for
    • protection of data
    • maintenance and oversight of data.
  • Ability to prevent, detect and respond to cybersecurity threats.
  • Experience of other similarly situated advisers previously engaging the provider.

While the adviser is not expected to “understand the intricacies” of “the cloud service’s operations” they should “have a reasonable understanding of the cloud service and the risks of the service”, including being able to mitigate and manage those risks. 

Compliance is non-negotiable

The SEC acknowledges that the record keeping arrangements may vary considerably between firms, and that compliance with the proposed rules will depend on the particular facts and circumstances, but such compliance is non-negotiable. The SEC indicates that it is “aware of instances where advisers engage a third party to learn only later” that required records cannot be produced in a reviewable format. The due diligence now required is intended to help identify and address such issues before the record keeper is engaged by the adviser.

Once the record keeper has been engaged, the adviser is required to periodically monitor and reassess their performance. The SEC deems such monitoring critical, but a degree of flexibility is present as to its manner and frequency.

Reasonable assurances

In addition to the due diligence and monitoring regime the adviser is required to “obtain reasonable assurances that the third party will meet four standards specific to recordkeeping”:

  • Adoption and implementation of internal processes and systems for keeping records that meet all requirements of the recordkeeping rule.
  • Actually keeping records in a manner that will meet all requirements.
  • Easily providing access to the records during the required retention period.
  • Continued availability of records meeting all requirements  in the event of a termination of a relationship or the ceasing of the third party operation.

Whether the records are physical or electronic they must be easily accessible from the office of the adviser. In connection with cloud services this means that if the adviser can easily access or query, in their office, records stored in the cloud by the provider, the rules requirements are deemed to have been fulfilled. Physical records must be stored in the adviser’s office for an initial period and, when moved to an external storage location must continue to be maintained in an “easily accessible place”. 

Due diligence

This requirement is closely related with the due diligence requirement for assessing the ability to terminate the outsourcing relationship in an orderly fashion. Where the relationship between the adviser and record keeper is terminated, irrespective of the reason for that termination, the records required by the record keeping rule must be protected against loss or destruction. The SEC provides three possible exit path options as examples. The adviser could, in the SEC’s view, require the cloud service provider to:

  • retain the records and maintain the adviser’s access rights to these; or
  • transfer the records to the adviser; or
  • transfer the records to another third party.

The rule proposal combines two themes that have become evident in the last 12 months in both SEC rule making, messaging and notably enforcement. Record keeping is an extremely high priority, as is the need for more rigor in the oversight of critical third party providers of core services to finance companies, especially where their continued secure service might threaten market stability and service if they are compromised. Vendors and the customers they supply to need to work as partnerships to ensure the highest standards of regulatory compliance. 

Shannon Rogers, President and General Counsel at Global Relay, says: “Your reputation and success are inextricably tied to the performance of your critical vendors. Choosing the right vendor can help you increase efficiency, comply with regulatory obligations, and run a better business. Choosing the wrong vendor can increase risk and decrease efficiency.”

, ,

You may also like