This blog post was written in collaboration between Hilary Jewhurst, at Venminder, and Mike Morris at Wipfli, who is a consulting firm with services that range from audit and accounting to digital transformation and managing disruption.
Although outsourcing isn’t new, it has become more widespread and complex. And while many registered investment advisors (RIAs) must outsource to remain competitive, it’s crucial to identify and mitigate the risks associated with outsourcing. According to the Securities and Exchange Commission (SEC), if an advisor outsources specific functions without taking proper steps to ensure the protection of their clients’ interests, it may be considered deceptive and not in line with their legal obligations under federal securities laws.
To address this issue, the SEC proposed a new rule under the Investment Advisers Act of 1940 to prohibit RIAs from outsourcing certain services or functions without first meeting minimum requirements.
If passed in its current state, RIAs will now have to identify all covered entities, perform risk assessments and due diligence that aligns with the identified risk, conduct ongoing monitoring, and perform orderly termination if needed.
What Is a Covered Entity?
A covered entity represents any function or task that is necessary for offering advisory services in compliance with federal securities laws. In general, the SEC would define covered functions as services and functions that pertain to a RIA's investment decision-making processes or the management of their portfolio.
It would include any responsibility that falls under your fiduciary obligation to your clients. Some examples include pricing, reconciliation, regulatory compliance, valuation, etc. The rule does not include clerical or general office functions.
According to the proposed rule, RIAs need to consider the following regarding covered entities:
- If the service provider could create a material negative impact, such as:
- The day-to-day operational reliance on the service provider
- Loss or disclosure of personally identifiable information (PII) for clients
- Whether the service provider is making or maintaining critical records, among other things
- If the adviser has a strong internal backup process in place
Best Practices for Registered Investment Advisers to Comply With Outsourcing Rule
There’s a lot to consider as registered investment advisers begin moving toward compliance with the proposed rule. This process may seem overwhelming to take on.
Here are some best practices to follow to comply with regulations:
- Create an inventory of vendors – The proposed regulation requires advisers to identify the covered functions and create a record of the factors that led them to be included. Your accounts payable department is a good place to start to create a list.
- Assess the risk of each covered entity – This process depends on the nature and scope of each covered function. When an RIA is deciding whether to enlist a service provider for a covered function, they must assess the risk of the provider to ensure that they’re a suitable choice. The risk assessment must consider six specific factors:
- Sensitivity of information and data
- Complexity of the function being outsourced
- Reliability and accuracy of the services or functions delivered
- Available alternatives if the service provider fails or is unable to perform the services
- Speed with which the function could be moved to a new service provider
- Existing or potential conflicts of service (such as the service provider’s incentives to meet its obligations to some clients ahead of others)
- Perform due diligence on each covered entity – While the guidance isn’t finalized, at a minimum, due diligence will need to be performed annually. Due diligence should always be risk-based. The higher the risk of engagement, the more robust the due diligence should be. When performing due diligence, here are some examples of documentation you can request:
When conducting due diligence, RIAs should look for red flags, like gaps in the requested documentation, significant findings in an audit report, lack of remediation plans, and poor financials.
- Monitor service providers on an ongoing basis – The proposed rule requires advisers to monitor service providers. The level of attention given to each provider should match the risk level of their activity. If any issues regarding their service have been identified or documented, appropriate actions must be taken to address them. Moreover, reports and service level agreements (SLAs) should be closely observed to ensure that all tasks are carried out accurately, promptly, and thoroughly.
- Have an exit strategy in place – It’s crucial to have termination clauses outlined in the contract. You’ll need to know if there are fees with early termination and how you’ll get data back from the service provider. You should also know what to expect from the vendor when you terminate the contract.
- Ensure service providers keep documentation and records – Per the proposed rule, every investment adviser who outsources a covered function to a service provider, and depends on them to maintain and create necessary books and records per Rule 204-2, must ensure that the service provider can provide reasonable assurances that they can:
- Establish and utilize internal systems to maintain precise records that adhere to Rule 204-2
- Create and/or maintain records that fulfill all the conditions of Rule 204-2 that are relevant to the RIA
- Provide access to electronic records
- Keep records accessible even if the service provider's operations come to a halt or if the relationship with the RIA is terminated
The purpose of this requirement is to prevent important records from getting lost, altered, or destroyed. This ensures that the RIA can access these records easily, and the SEC staff can also access them if needed.
Preparing for Regulatory Scrutiny and Enforcement of Registered Investment Advisers
Despite industry criticism of the proposed rule, it’s imperative that investment advisors thoroughly review the proposed rule and their current outsourcing framework. Failure to do so could result in unanticipated challenges and regulatory enforcement actions. For example, the SEC disclosed that it has taken enforcement measures against an RIA for utilizing models from a third-party subadvisor without verifying whether the models were functioning as intended by the RIA. And in another recent action, an advisor neglected to supervise a third-party vendor who failed to adequately secure the personal identifying information of customers.
RIAs need to review the proposed rule to prepare for compliance. If the new rule is put into effect, advisors will need to comply within 10 months for new service provider engagements that happen on or after the compliance date. Existing arrangements will also need to follow the ongoing monitoring obligations starting from the compliance date.