Top headaches for RIAs if the SEC's outsourcing rule is enacted

Since it was announced in late October, SEC's new rule and rule amendments concerning outsourcing have been widely criticized by many industry leaders — even within the SEC. Commissioner Hester Peirce called it "a solution in search of a problem," adding that "fiduciary advisors already have a responsibility to their clients that cannot be outsourced and supersedes this rule." While industry executives have universally voiced their support for protecting investors, some have expressed concerns over the burdensome new due-diligence requirements inherent in the new rule and the potential impact on advisory firms.

In announcing the new proposed rule (Rule 206(4)-11) and amendments to Rule 204-2 (the Recordkeeping Rule), the SEC stated its intention to address the evolving asset management industry and the increased engagement of service providers by RIAs to perform certain core functions that are necessary for advisory services to be in compliance with federal securities laws. Why does the SEC think this is necessary? As clients' needs have become more complex, many RIAs have been engaging third-party service providers to perform certain core functions. While the SEC acknowledges the potential benefits of outsourcing, it also sees potential risks and therefore believes RIAs should be required to meet minimum requirements before and during these outsourcing engagements. The SEC sees the potential for clients to be significantly harmed if certain functions are outsourced without appropriate controls in place.

Recordkeeping for days
If the rule is enacted, RIAs will have to keep records, including a list of covered functions outsourced to service providers and the factors that led to listing them as covered functions (more on that below). They will also have to comply with the rule's books and records requirements and report census-type information about service providers on Form ADVs, as well as keep books and records demonstrating their due diligence and monitoring efforts of service providers. They will have to obtain reasonable assurances that the providers will meet certain standards. Furthermore, RIAs would have to monitor the performance of their existing service providers and reassess their retention to reasonably determine whether it is appropriate to continue outsourcing services to them.

'Coverage' may vary
Per the proposed rule, "Covered functions" include:

1. Advisor/subadvisor
2. Client servicing
3. Cybersecurity
4. Investment guidelines/restriction compliance and investment risk
5. Portfolio management (excluding advisor/subadvisor) and portfolio accounting
6. Pricing and valuation
7. Reconciliation
8. Regulatory compliance
9. Trading desk
10. Trade communication and allocation

Not included as a covered function or service are those clerical or general office functions not related to providing investment advisory services, such as commercial leases, public utilities, facility maintenance, or general software providers for applications like operating systems or spreadsheets.
But here's the dilemma: As the proposed law currently stands, whether a service is considered to be a covered function or not is specific to the facts of the situation and may vary from one RIA to the next. The covered function is based on the SEC's determination of whether that service is necessary for the advisor to provide its investment advisory services in compliance with federal securities laws; and those that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the advisor's clients or on the advisor's ability to provide investment advisory services. For each RIA, it would depend on the "facts and circumstances" of whether the functions or services in question are necessary for a particular advisor to provide its investment advisory services.

Existing relationships
The first step in complying with the proposed new outsourcing rule will be to determine if existing outsourcing relationships RIAs intend to maintain with service providers fall under the provisions of the rule. If they do, RIAs must determine whether the relationships are properly documented by complying with the following six elements of the rule:

• Identify the nature and scope of the covered function.
• Determine measures to mitigate potential risks to clients.
• Determine that the service provider has the competence, capacity, and resources to perform the covered function.
• Determine whether the service provider has any subcontractor arrangements that it relies on that would affect  its ability to deliver the service. 
• Obtain reasonable assurances from the service provider that it will coordinate with the RIA for purposes of compliance with federal securities laws.
• Obtain reasonable assurances from the service provider that it will provide a process for orderly termination.

The proposed new rule would apply to new service provider engagements made on or after the compliance date of the rules and amendments. The ongoing monitoring requirements, meanwhile, would apply to existing service provider engagements beginning on the compliance date.

Future of the proposed rule
The public comment period for the proposed new outsourcing rule ended on Dec. 27, 2022. It is unclear so far whether the SEC intends to pass the rule, make changes to the rule based on feedback or scrap the rule altogether. 

But if the proposed new rule is passed, RIAs of all sizes will be affected since they will have to expend both time and money to remain in compliance. Therefore, it could have a disparate impact on smaller firms with fewer resources, and perhaps become a barrier to entry for small firms. 

Firms with automated processes already integrated into their business can eliminate the need to outsource certain functions like client servicing, fee billing, performance reporting, account aggregation and portfolio management. Selecting the partner with built-in technology solutions could prove a useful option.