Engaging service providers and outsourcing various functions is a normal part of running an effective business. From the newest emerging managers to the most established ones, venture capital firms and private fund shops regularly rely on service providers to fill various functions, including valuation, accounting, anti-money laundering and “know your customer”, investor reporting, risk analysis, regulatory compliance, and trade implementation. No firm can do it all in-house, nor would it make sense for a firm to do so. While exercising reasonable care in selecting service providers is to be expected, the Securities and Exchange Commission (SEC) proposed a new rule on October 26, 2022, that would impose specific due diligence and monitoring requirements on registered investment advisers (RIAs) outsourcing certain functions to service providers.
The SEC also proposed record-keeping requirements that would apply in connection with the new rule, as well as further diligence and monitoring requirements that would apply when RIAs engage third parties as record-keepers. If the rule is adopted, the impact of the prescribed oversight requirements would be particularly burdensome on smaller RIAs, many of whom engage compliance consultants – and would need to conduct due diligence and periodic reassessments on their engagement of those compliance consultants – in addition to conducting such diligence and reassessments on other service providers.
Scope of the proposed rule
Proposed Rule 206(4)-11 under the Investment Advisers Act of 1940 would apply to RIAs, as would the proposed amendments to Investment Advisers Act Rule 204-2, which is known as the “Books and Records Rule.” Venture capital firms and private fund advisers that are “exempt reporting advisers” (ERAs) would not be subject to the proposed requirements.
Rule 206(4)-11 would apply with respect to “covered functions,” which the SEC proposes to define as functions that:
- Are necessary to provide advisory services in compliance with federal securities laws.
- If not performed or performed negligently, would be reasonably likely to cause a material negative impact on the RIA’s clients or on the RIA’s ability to provide investment advisory services.
The SEC proposes to define a “service provider” to include an RIA’s affiliates if they are not otherwise subject to the RIA’s oversight as supervised persons (as defined in the Investment Advisers Act).
Due diligence and monitoring
Under proposed Rule 206(4)-11, before engaging a service provider, an RIA would need to reasonably identify and determine that a covered function is appropriate to outsource to a service provider and that the selected service provider would be appropriate to perform such covered function. Rule 206(4)-11 would require an RIA to evaluate and consider the following elements as part of its due diligence:
- The nature and scope of the services to be performed.
- Potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks.
- The service provider’s competence, capacity, and resources necessary to perform the covered function in a timely and effective manner.
- The service provider’s subcontracting arrangements related to the covered function – and how the RIA will mitigate and manage potential risks in light of any subcontracting arrangements.
- Coordination with the service provider for federal securities law compliance.
- The orderly termination of the provision of the covered function by the service provider.
Once selected, the RIA would need to periodically monitor the service provider and reassess the elements above to reasonably determine that it would be appropriate to continue outsourcing the covered function to that service provider. The amount of due diligence that would be considered reasonable would depend on the nature, scope, and risk profile of a covered function and the service provider.
Record-keeping requirements
The SEC also is proposing to amend the Books and Records Rule to require an RIA to keep detailed records related to its compliance with Rule 206(4)-11. This would include maintaining a list of covered functions and the service providers to whom such functions have been outsourced, records that document the RIA’s due diligence and monitoring as required by Rule 206(4)-11, and copies of written agreements entered into with the service providers. Such records would need to be maintained in an easily accessible place throughout the period that the RIA outsources a covered function, and for a period of five years thereafter.
In addition, if an RIA relies on a third party to make and/or keep any books and records required by the Books and Records Rule, the proposed amendments would require the RIA to perform due diligence and monitoring as though the record-keeping function were a covered function and the third party were a service provider. The RIA would also need to obtain reasonable assurances that the third party will:
- Adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the Books and Records Rule applicable to RIAs.
- Make and/or keep records that meet all of the requirements of the Books and Records Rule applicable to RIAs.
- Provide the RIAs and the SEC access to electronic records.
- Ensure the continued availability of records if the third party’s operations or relationship with the RIA ceases.
The SEC suggests that one way to obtain reasonable assurances from a third-party record-keeper would be to enter into a written agreement that expressly includes the four standards listed above. Alternatively, an RIA may seek to ensure the requirements are satisfied through one or more letters of understanding, statements of work, or other means.
Form ADV reporting and transition period
Accompanying proposed Rule 206(4)-11 and the proposed record-keeping requirements is a proposed amendment to the Form ADV. The SEC proposes to include a new item in Part 1A that would collect census-type information about the RIA’s use of service providers.
If the SEC’s proposals are adopted, RIAs would have 10 months from the effective date to come into compliance. The new requirements would apply to any engagement of new service providers made on or after the compliance date, with ongoing monitoring requirements also applying to existing engagements of service providers. Comments on the proposal will be due 30 days after publication in the Federal Register or December 27, 2022, whichever is later and may be submitted here: https://www.sec.gov/regulatory-actions/how-to-submit-comments