Third party risk management: SEC Investment Adviser Proposal

November 2022

KPMG Insight. The SEC is proposing to establish an oversight framework that would require “investment advisers take steps to continue to meet their fiduciary and other legal obligations regardless of whether they are providing services in-house or through outsourcing, whether through third parties or affiliates.” Citing recent enforcement actions where investment advisers did not exercise oversight of service providers, SEC stated “more needs to be done to protect clients and enhance oversight of advisers’ outsourced functions.” The proposed due diligence and monitoring expectations are closely aligned with third-party risk management expectations currently imposed on banking organizations. SEC registered (and required to be registered) investment advisers should anticipate heightened attention to their third-party service provider relationships in advance of a final rulemaking, including documentation of due diligence and monitoring efforts, and recordkeeping practices. 

The Securities and Exchange Commission (SEC) is proposing new oversight requirements for investment advisers that retain a service provider to perform certain functions and services. The proposal addresses:

• Due diligence and monitoring expectations
• Books and records requirements, for investment advisers and separately for third parties
• Form ADV amendments

Due diligence and monitoring expectations

The SEC proposes new rule 206(4)-11 under the Investment Advisers Act of 1940 (Advisers Act), which would establish due diligence and monitoring expectations for registered (or required to be registered) investment advisers that retain a service provider to perform a “covered function” (see definition below).

In particular, the rule would state that, “as a means reasonably designed to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business,” it would be “unlawful” for an investment adviser to retain a service provider to perform a covered function unless the investment adviser:

• Before engaging a service provider, “reasonably” identifies and determines that it would be appropriate to retain a service provider to perform the covered function.
• Selects an “appropriate” service provider based on consideration of the following six elements:

1. The nature and scope of the services
2. Potential risks to clients or the investment adviser’s ability to perform its advisory services resulting from the service provider performing the covered function, including mitigation and management of such risks
3. The service provider’s competence, capacity, and resources necessary to perform the covered function
4. Any subcontracting arrangements the service provider has that would be material to the service provider’s performance of the covered function
5. The ability and willingness of the service provider to coordinate with the investment adviser for purposes of the investment adviser’s compliance with Federal securities laws
6. The service provider’s “reasonable assurance” that it is able and willing to provide for orderly termination of its performance of the covered function

• Periodically monitors the service provider’s performance and reassesses the selection of the service provider based on the six due diligence elements.

Policies and procedures. Although the proposed rule does not require additional explicit written policies and procedures related to service provider oversight, if the proposed rule were adopted, advisers would be required under existing rule 206(4)-7 to have policies and procedures reasonably designed to prevent violations of the Advisers Act and rules under the Act, and this requirement would apply to the proposed rule.

A “service provider” would be defined as a person or entity that:

• Performs one or more covered functions, and
• Is not a supervised person of the adviser.

A “covered function” would be defined as:

• A function or service that is necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws, and
• That, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.

Clerical, ministerial, utility, or general office functions or services would be excluded from the definition. SEC notes that these covered functions may include “providing investment guidelines, portfolio management, models related to investment advice, custom indexes, and investment risk, or trading services or software.” They also may include “advisers’ use of software as a service or artificial intelligence as a service, both of which are playing a growing role in the investor advisory space.”

Books and records requirements

Investment advisers. The SEC is proposing to add a new provision to the recordkeeping rule, new rule 204-2(a)(24), that would require investment advisers to maintain:

• A list of covered functions for which the investment adviser has retained a service provider, including factors that led the adviser to list each as a covered function
• Documentation of the due diligence assessments for each service provider along with how the adviser will comply with the risk mitigating requirement
• Documentation of written agreements entered into with each service provider
• Documentation of the periodic monitoring of each service provider
• Records in an easily accessible place throughout the period the covered function is performed by a service provider and for a period of five years thereafter.

Third parties. Separately, to the extent an investment adviser relies on third parties to make and maintain books and records required by the proposed oversight framework, the SEC proposes the investment adviser treat the recordkeeping function as a covered function and the third party as a service provider (as defined under rule 206(4)-11). Furthermore, under this new provision, investment advisers would be required to “obtain reasonable assurances that the third party will:”

• Adopt and implement internal processes and/or systems that meet the requirements of the recordkeeping rule.
• Make and/or keep records that meet all requirements of the recordkeeping rule.
• Provide “easy” access to electronic records during the retention period.
• Ensure continued availability of records if the third-party relationship with the investment adviser ends or if the third party’s operations cease.

Form ADV amendments

Lastly, the SEC is proposing amendments to Form ADV, new item 7.C. in Part 1A and Section 7.C. in Schedule D, that would require investment advisers to provide “census-type” information about service providers.

Relevant KPMG Thought Leadership

KPMG Regulatory Alert

KPMG Regulatory Alert