SEC Proposes to Require Registered Investment Advisers to Implement a Comprehensive Oversight Framework for Service Providers

I. Introduction

On October 26, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new Rule 206(4)-11 (the “Vendor Oversight Rule” or the “Rule”) to prohibit investment advisers registered under the Investment Advisers Act of 1940 (“Advisers Act”) from outsourcing certain functions to service providers unless minimum due diligence, oversight, and written recordkeeping requirements are met (the “Proposal”).[1] Under related amendments to Form ADV, advisers would also be required to make public reports to the SEC that identify key information about these service providers. 

II. Take-aways

• The Vendor Oversight Rule would require advisers to implement and document a due diligence process for initially approving and thereafter maintaining outsourced and similar service relationships with certain types of service providers, generally including the following: valuation, subadviser, client services, cybersecurity, investment risk, portfolio accounting, pricing, reconciliation, trading desk, and trade communication and allocation. 
• The Proposing Release emphasizes information technology (e.g., cloud services) and related cybersecurity issues as key areas that advisers should consider when overseeing outsourced service providers. 
• The Vendor Oversight Rule would not apply to U.S. and non-U.S. private fund advisers that file a Form ADV with the SEC as “exempt reporting advisers.”
• The SEC believes that certain relationships with index providers would be subject to the proposed Vendor Oversight Rule.  This reinforces the SEC’s ongoing focus on index providers and their relationships with advisers, including the SEC staff questioning the basis for certain index providers to qualify for an exemption from investment adviser registration.[2]

III. Overview

A. Service Provider Oversight

Rule 204(6)-11 would require registered advisers to engage in initial due diligence and ongoing oversight of Service Providers that perform Covered Functions, as those terms are defined under the Rule. Prior to retaining a Service Provider, an adviser would need to determine that it is appropriate to outsource the Covered Function based on six factors.  An adviser would also be required to monitor the Service Provider and periodically reassess that the Service Provider’s performance of the Covered Function is consistent with these factors.[3] As part of its initial due diligence and ongoing monitoring, an adviser will be expected to:

1. Identify the nature and scope of the Covered Function that the Service Provider is to perform; 
2. Identify and determine how it will mitigate and manage the potential risks to clients or to the adviser’s ability to perform its advisory services resulting from engaging the Service Provider to perform the Covered Function;
3. Determine that the Service Provider has the competence, capacity, and resources necessary to perform the Covered Function in a timely and effective manner;
4. Determine whether the Service Provider has any subcontracting arrangements that would be material to the Service Provider’s performance of the Covered Function, and identify and determine how the adviser will mitigate and manage potential risks raised by those arrangements;
5. Obtain reasonable assurance from the Service Provider that it is able to, and will, coordinate with the adviser for purposes of the adviser’s compliance with the federal securities laws; and
6. Obtain reasonable assurance from the Service Provider that it is able to, and will, provide a process for an orderly termination of its performance of the Covered Function.[4]

While the SEC states that it has attempted to narrowly define the term “Covered Function,” its definition will broadly cover any material service provider relationships an adviser has with third parties. A Covered Function means a function or service that is necessary for the adviser to provide its investment advisory services in compliance with the federal securities laws and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.[5]  For purposes of the Rule, a “Service Provider” means a person or entity that performs one or more Covered Functions and is not a supervised person of the adviser, as defined in Section 202(a)(25) of the Advisers Act.[6] Whether any entity meets the definition of a Service Provider under the Rule depends on the facts and circumstances.[7] 

In the Proposing Release, the SEC explained how the Rule’s definition of Service Provider could apply to the following types of entities:

• Investment-Related Functions. The Proposing Release notes that functions related to an adviser’s investment decision-making process generally would be subject to the Rule, including Service Providers that: (i) provide investment guidelines, (ii) maintain restricted trading lists, (iii) create and provide models related to investment advice, (iv) create and provide custom indexes, (v) provide investment risk software or services, (vi) provide portfolio management or trading services or software, and (vii) provide portfolio accounting services.[8]  Moreover, if an adviser’s investment decision-making process relies on artificial intelligence or software as a service, the SEC explains that these services may form part of the Covered Function even though they are provided through technology.[9]  Similarly, it is possible that outsourced investment research and data analytics (e.g., alternative data) providers could also be subject to the Rule.
• Valuation Providers and Custodians. A valuation provider for a client’s portfolio would be considered a Service Provider under the Rule.[10]  For custodians, the SEC explained that a custodian retained by the client is not covered by the Rule since the custodian is not providing a function that is necessary for the adviser to provide its advisory services.[11]  We note that if an adviser engages a custodian directly on behalf of its clients or the adviser requires clients to engage one or more specific custodians, the adviser’s arrangement with the custodian could be subject to the Rule. 
• Index Providers. The SEC highlighted advisers’ increased use of index providers, noting that if an adviser relies on an index provider to help formulate the adviser’s investment advice, it would be a Covered Function.[12]  However, licensing an index solely as a performance benchmark would not be a Covered Function under the Rule.[13]
• Compliance. The SEC noted that many common outsourced compliance services would qualify as Covered Functions, including outsourcing the adviser’s chief compliance officer, regulatory filings (such as Form ADV or Form CRS), valuation, pricing services, or other regulatory functions.[14]  While the Proposing Release does not address outsourced legal services, it is possible that such services could be Covered Functions based on similar reasoning.
• Other Categories Identified in Form ADV.  In addition to the categories above, the proposed amendments to Section 7.C of Schedule D of Form ADV include categories that the SEC believes could be Covered Functions: Adviser/Subadviser, Client Services, Cybersecurity, Investment Risk, Portfolio Accounting, Pricing, Reconciliation, Trading Desk, and Trade Communication and Allocation.  The SEC explained that advisers should consider these categories when assessing whether any Service Provider performs a service that would be a Covered Function.[15]   

The Rule would explicitly exclude clerical, ministerial, utility, or general office functions or services from the definition of a Covered Function.[16] The SEC also noted that arrangements with marketing firms and solicitors would not be covered by the Rule because those functions are not related to the adviser’s provision of investment advice.[17]  Importantly, the definition of Service Provider does not exclude affiliates of the adviser. Accordingly, advisers that are part of a multi-service firm that rely on service arrangements with affiliates would be subject to the Rule. Moreover, this definition does not exclude other registered entities.  Thus, the Rule can apply to investment advisers, broker-dealers, and other registrants if they perform a Covered Function.   

The Rule does not prescribe a method for complying with the initial due diligence and ongoing oversight requirements but does suggest that the adviser could address some of these factors in the agreement with the Service Provider, a separate record, or policies and procedures. The SEC also points out that if the Rule is adopted, existing Rule 206(4)-7 would require the adviser to have policies and procedures reasonably designed to prevent violations of Rule 206(4)-11.[18]

B. Recordkeeping

The Proposal would also amend Rule 204-2 to require advisers to maintain records related to Rule 206(4)-11 and impose additional requirements for advisers that outsource their recordkeeping functions. First, the Rule would require an adviser to make and keep a record of the following:

• A record of Covered Functions that the adviser has outsourced to Service Providers and the name of each Service Provider, along with a record of the factors that led the adviser to list each function as a Covered Function;
• A record documenting that the adviser conducted the due diligence assessment required under Rule 206(4)-11;
• Policies and procedures or other documentation indicating how the adviser will comply with the due diligence requirement to mitigate and manage the risks it identifies, both at a Covered Function and a Service Provider level;
• Copies of any written agreements that the adviser enters into with each Service Provider regarding Covered Functions; and
• Records documenting that the adviser has engaged in periodic monitoring of each applicable Service Provider.

Second, proposed amendments to Rule 204-2 would require an adviser that outsources any of its required recordkeeping obligations under Rule 204-2 to: (i) comply with the due diligence and monitoring requirements of Rule 206(4)-11 for the Service Provider; and (ii) obtain certain reasonable assurances from the Service Provider.[19] Under proposed Rule 204-2(l), an adviser would be required to obtain reasonable assurances that the third party will: (i) adopt and implement internal processes and/or systems for making and/or keeping records on behalf of the investment adviser that meet all of the requirements of Rule 204-2; (ii) actually make and keep records in a manner that complies with Rule 204-2 applicable to the adviser; (iii) for electronic records, allow the adviser and SEC staff to access the records electronically; and (iv) ensure the continued availability of the adviser’s required records in the event that the third party ceases operating or the relationship with the adviser is terminated.[20]  The SEC did not specify how an adviser must comply with these requirements, but suggested that a written agreement with the Service Provider or a letter of understanding could address the required assurances.[21] 

C. Form ADV

The Proposal would amend Form ADV to require an adviser to identify Service Providers and the Covered Functions they provide, including details like the date of initial engagement, the adviser’s office principally responsible for the Covered Function, and any affiliation with the adviser.[22]  Form ADV would specify several categories of Covered Functions, although the suggested categories are not exhaustive. Amended Form ADV would include an “Other” category for the adviser to identify any other Service Provider that performs a Covered Function that is not included in the suggested list of categories.

IV. Next Steps

The comment period for the Proposal closes either 30 days from the publication of the Proposal in the Federal Register or on December 27, 2022, whichever is later.  Although the final form of the Vendor Oversight Rule and its timing remain uncertain, it signals the SEC’s continued focus on advisers’ fiduciary duties and the responsibility that advisory firms should have to thoughtfully consider how they outsource important functions to Service Providers and monitor the risks presented by these practices. 

V. Our Views

• If adopted, the Vendor Oversight Rule will formalize and increase the financial and human resources an adviser must expend on due diligence and oversight of service providers. We expect this will have the greatest impact on smaller RIAs and contribute to existing industry trends towards RIA consolidation, driven in part by the ability of larger firms to leverage technology, centralized operations, and compliance infrastructure.
• Determining whether any vendor meets the definition of a Service Provider depends on a subjective facts and circumstances analysis. Given that the impact of any vendor disruption may only be known with the benefit of hindsight, an adviser may err on applying the Rule broadly to its service provider relationships to prevent the SEC from second guessing the adviser’s initial determination if and when a disruption occurs.
• Rule 38a-1 under the Investment Company Act of 1940 already requires RIAs to registered funds to adopt policies and procedures to provide for oversight of certain service providers to the registered fund, including the fund’s investment advisers, principal underwriters, administrators, and transfer agents. The Rule would appear to create similar, but separate, obligations for advisers with respect to their non-registered fund clients. 
• The SEC’s focus in the Proposing Release on index providers could signal that a significant rulemaking proposal for index providers is imminent.

[1] See Oversight of Service Providers, SEC Rel. No. IA-6176 (Oct. 26, 2022) (the “Proposing Release”).

[2] The SEC staff is currently reviewing public responses to its recent request for comments on index providers. See Request for Comment on Certain Information Providers Acting as Investment Advisers, SEC Rel. No. IA-6050 (June 15, 2022).

[3] The SEC explains that the level and frequency of the ongoing monitoring will depend on the risks posed by the Service Provider, but suggested that such oversight could include, among other things, onsite visits, automated scans or reviews of service provider data feeds, periodic meetings with the provider to review service metrics, or contractual obligations to test and approve new systems prior to implementation. See Proposing Release at 68.

[4] See Proposed Rule 206(4)-11(a)(1).

[5] See Proposed Rule 206(4)-11(b).

[6] Id.

[7] See Proposing Release at 21.

[8] Id. at 22.

[9] Id. at 23.

[10] Id.

[11] Id.

[12] Id.

[13] See Proposing Release at 23.  

[14] Id. at 23–24.

[15] Id. at 21.

[16] See Proposed Rule 206(4)-11(b).  The SEC explained in the Proposing Release that this exclusion would cover an adviser’s lease of commercial office space or equipment, public utility companies, utility or facility maintenance, general software providers of widely commercially available operating systems, word processing systems, spreadsheets, or other similar off-the-shelf software. See Proposing Release at 25.

[17] See Proposing Release at 25.

[18] See Proposing Release at 17.

[19] See Proposed Rule 204-2(l). 

[20] See Proposed Rule 204-2(l)(2).   

[21] See Proposing Release at 90.

[22] See Proposing Form ADV, Part 1A, Item 7.C, and Section 7.C of Schedule D.