Private funds will be required to conduct background checks before they hire an outside vendor, and “periodic” checks throughout the life of the contracts thereafter, under new regulations proposed by a divided SEC.

If adopted as written, rule 206(4)-11 would make registered funds go through a six-step check before outsourcing any “covered function” to another company.

The rule is written broadly. It defines “covered function” as anything “necessary for the investment adviser to provide its investment advisory services.” That could mean anything from client services to portfolio management custom indexes.

The frequency of the periodic checks will depend on “the complexity of the function, or the risk to clients of a failure to perform or of negligently performing the function.” In some cases, funds will have to cancel contracts if they can’t get a clear look at their outside vendors.The proposed rule could hit private funds in the solar plexus. More than three-quarters of them use at least one third-party administrator, according to SEC records. And the regulations as written would cost each firm at least $132,000 to implement, and another $44,000 per year to keep firms up to date, the commission says in its rulemaking notice.

“Larger advisers, with more outsourcing of covered functions, may have greater costs,” regulators say in the 232-page rulemaking notice. “An adviser needing to revise its existing practices, needing to hire new personnel, choosing to switch service providers in response to the rule, and multiple other factors may cause costs to increase as well. The factors that may increase due diligence costs are difficult to quantify,” the SEC writes.

Small funds could be the hardest hit, regulators acknowledge. “As an initial matter, the proposed rule would create new costs of providing advisory services, which could disproportionately impact small or newly emerging advisers who may be less able to absorb or pass on these new costs,” the SEC notes.

“They want to see you increasingly focus on what specifically happened there, especially if you have a new win from the same source. If something is happening, you should be finding out what’s happening”

Kerry Potter McCormick
Barnes & Thornburg 

“New costs, especially fixed costs, could also disproportionately impact small or newly emerging advisers. To the extent these costs discourage entry of new advisers or cause certain advisers to exit the market, competition would be harmed.”

Regulators don’t object to outsourcing in principle. “Service providers may give the adviser or the adviser’s clients access to certain specializations or areas of expertise, reduce risks of keeping a function in-house that the adviser is not equipped to perform, or otherwise offer efficiencies that are unavailable to or unachievable by an adviser alone,” the commission points out in its notice.

But it also says outsourcing can pose a risk of “significant harm” to clients when funds use a service provider that is necessary to conducting its business without appropriate oversight

“Given the increasing use of service providers by investment advisers, we are also concerned that the commission has limited visibility into advisers’ outsourcing and thus the potential extent to which advisory clients face outsourcing-related risks,” the regulator wrote.

More than anything, regulators say, they’re worried the funds themselves aren’t watching these vendors closely enough. “As a fiduciary, an investment adviser cannot just ‘set it and forget it’ when outsourcing,” the rulemaking notice states.

Exams widen

The threat here isn’t just hypothetical. In the months before the commission voted, 3-2, to put the new outsourcing rules out for public comment, commission examiners began asking private funds to explain how closely they monitor their outside vendors, Private Funds CFO has learned.

Regulators have long asked firms about outside contracts during exams. If worried about cybersecurity, for instance, they ask firms about any vendors they use (and contracts they sign).

“The SEC is concerned that advisers may be shirking their fiduciary responsibility by outsourcing”

David Tang
Dorsey & Whitney

But since April, after the SEC sent out a risk alert on insider information in the industry, examiners’ questions have gotten broader and deeper, compliance lawyers say. They’ve also gotten more pointed about how firms police those outside services. It doesn’t appear that the SEC has opened a fresh exam sweep, but several compliance experts say there has been a noticeable uptick in questions about private funds’ outside vendors.

“They don’t want to see diligence done once, they want some kind of regular, annual update,” says Kerry Potter McCormick, a partner in Barnes & Thornburg’s New York office, who spoke with Private Funds CFO weeks before the SEC put the outsourcing rules on its open meeting agenda.

Indeed, regulators mention in the notice they’re “troubled” to hear that commission examiners have “observed some advisers unable to provide timely responses to examination and enforcement requests because of outsourcing.”

Four worries

David Tang is a partner in Dorsey & Whitney’s New York offices. He says the commission seems worried about four areas: fiduciary duty, conflicts of interest, fees and systemic risk.

“The SEC is concerned that advisers may be shirking their fiduciary responsibility by outsourcing,” Tang says. “And two, that there may be conflicts of interest in vendor selection. Any affiliation with a service provider will draw special attention, of course.”

Another potential conflict: “Is compliance consulting firm XYZ going to conduct due diligence on themselves? Even if there is a so-called separate department within the consulting firm conducting diligence, the obvious answer is: No, that shouldn’t be the case. The better practice is to have an independent set of eyes conducting due diligence,” Tang adds.

“The cost of SEC compliance must be borne by [managers], and it’s expensive… They started looking at ways to shift cost to the funds”

April Evans
Monitor Clipper

Indeed, one of Gary Gensler’s first speeches as SEC chairman came last year, when he appeared before the Institutional Limited Partners Association. Gensler said he’d heard LPs’ complaints about funds using third-party contracts to offload their fiduciary duties to vendors. He promised he’d stop it. He also said private funds’ fees were too high.

“Hundreds of millions of dollars,” Gensler said then, “are standing between investors and businesses.”

The SEC is concerned that some managers may be looking to reduce their overhead by outsourcing what otherwise would be full-time employees paid by the manager to outside contractors or consultants paid by the fund. If managers charge contractors that would normally be in-house employees to the fund, they had better be prepared to disclose those expenses “explicitly,” Tang says, “because clients are now paying additional expenses. Not to mention, managers will be asked to substantiate that fees paid to outsourced providers are market.”

As to the question of systemic risk, regulators themselves are clear about it.

“The use of service providers could create broader market-wide effects or systemic risks as well, particularly where the failure of a single service provider would cause operational failures at multiple advisers,” the rulemaking notice states. “For example, there could be concentration risks to the extent that one service provider supplies several services to an adviser or multiple service providers merge to become a single market leader. Multiple regulated entities could use a common service provider, particularly because service providers have become more specialized in recent years, and for certain functions there may be only a few entities offering relevant (often information technology-dependent) services.

“If a large number of investment advisers and their clients use a common service provider, operational risks could be correspondingly concentrated, which could, in turn, lead to an increased risk of broader market effects during times of market instability.”

Tang adds: “When selecting a service provider, a manager should consider how effectively they can pivot to another provider if the largest or most popular service provider becomes unavailable.”

Raising industry ‘temperature’

Funds had been on notice that this kind of thing might be coming. In January, the commission issued its second-ever risk alert for the $21 trillion private funds industry. Funds, regulators claimed, weren’t conducting “reasonable investigations” into their investments or funds. They often “failed to perform adequate due diligence on important service providers, such as alternative data providers and placement agents,” regulators claimed.

Four months later, the commission issued a fresh risk alert, this one for the entire investment adviser industry. Too many firms used “ad hoc and inconsistent diligence” on alternative data contracts, regulators said. “In addition,” regulators noted in the April alert, “staff observed advisers that had an onboarding process for alternative data service providers but did not have a system for determining when due diligence needed to be re-performed based on passage of time or changes in data collection practices.

“A lot of risk at registered investment advisers lies underneath, at the service provider level”

Craig Moreshead
ACA Group

The proposed rules don’t mention alternative data providers directly. But it says “covered functions” could include “investment research and data analytics, trading and risk management, and compliance.”

Indeed, commission examiners have been asking funds to explain how they monitor outside contracts in consolidating industries. Regulators seem especially worried about consolidation in the alternative data industry, says Barnes & Thornburg’s Potter McCormick.

They’re not just focusing on potential conflicts of interest. Some questions ask how advisers make sure the information they’re getting isn’t coming from material, non-public sources.

“They want to see if your front office is stacking up one or more huge wins based on alternative data,” Potter McCormick says. “They want to see you increasingly focus on what specifically happened there, especially if you have a new win from the same source. If something is happening, you should be finding out what’s happening.”

Craig Moreshead, a partner at compliance consulting firm ACA Group, says the new proposal may well “raise the temperature” in the industry, but it ought to be seen as a reminder that compliance isn’t a cut-and-paste operation. “A lot of risk at registered investment advisers lies underneath, at the service provider level,” he says. “If there’s a problem with a service provider – such as a lack of cyber-controls – those risks can of spill over onto the RIA. It’s certainly important for investment advisers to have a handle on what their service providers are doing and to regularly have a temperature check.”

Regulators have been particularly interested in private funds’ “override practices,” Moreshead adds. If an index provider, say, comes back with a potential price but the fund rejects it, regulators will want to know why, he continues. It’s important that advisers show their work.

Infinite regression

For some private fund advisers, it comes as a bit rich that the SEC says it wants a new compliance regime for outsourcing. Many funds only turned to outside vendors to deal with the old regime.“I think outsourcing started to become popular when firms were required to register with the SEC,” says April Evans, CFO at Monitor Clipper Partners. “Over time, we’ve developed a really reputable and solid cadre of third-party administrators who bring best-in-class practices because of the array a clients they have.”

The problem is that “the cost of SEC compliance must be borne by the manager, and it’s expensive,” Evans says. “And so managers started looking at ways to shift cost to the funds, if you will, that were costs that managers may historically have paid – like, for example, in-house accounting services where third party administrators sprung up.”

The enforcement risks ratchet up when firms turn to outside compliance officers, she notes. It’s one thing to turn to a vendor for compliance help, she says. It’s another to outsource compliance altogether. “Because from the SEC’s perspective, the buck stops with the manager,” Evans adds. “When they come in to do an audit, they want to talk with a chief compliance officer who is sitting in the seat at the firm. The SEC does not look kindly upon actually outsourcing that CCO role.”

‘What precisely is the problem?’

Critics of the proposed rules – Republican Commissioners Hester Peirce and Mark Uyeda are two of them – say they’re needless, wasteful, and will land especially hard on small firms. “What precisely is the problem this proposal is trying to correct?” Peirce asked. Those critics may have to wait for the Division of Exams to get their answer. Regulators cite six different enforcement cases in footnotes to the proposed rule. Uyeda wasn’t impressed by any of them.

“Tellingly, the observations cited in the proposing release as a basis for proposing this rule do not appear to describe service provider failures that would have been prevented had the rule been in effect,” he said.

“Tellingly, the observations cited in the proposing release as a basis for proposing this rule do not appear to describe service provider failures that would have been prevented had the rule been in effect”

Mark Uyeda

For now, fund advisers can ask their would-be contractors a few questions of their own, Moreshead says. He recommends you start in three areas:

• Business continuity planning. “Do they do annual tests on their business continuity?” he says. “Have they have had an actual disaster? What did those events reveal?”

• Cybersecurity. “Have they done a risk assessment? Do they have cybersecurity insurance?” Morsehead says.

• Bad actors. If the vendor is a broker-dealer, investment adviser or sub-adviser, check them on Finra’s Brokercheck site.
Past is prologue?

The last time the SEC made this much noise about industry outsourcing was in 2015. Then, the commission proposed rules that would have required fund advisers to report whether their chief compliance officers were contractors.

While those rules were pending, examiners swept 20 firms that relied on outside CCOs. Two things followed that sweep. The first was a risk alert, published that year. It warned industry that too many contractors were selling off-the-rack compliance services that didn’t line up with firms’ actual risks. The second thing was a new rule that put question 1.J on Form ADV.

Question 1.J asks firms to explain whether their CCO is a contractor or in-house. SEC staff “observed a wide spectrum of both quality and effectiveness of outsourced chief compliance officers and firms,” regulators wrote.

“Identifying information for these third-party service providers, like others on Form ADV, will allow us to identify all ­advisers relying on a particular service provider and could be used to improve our ability to assess potential risks.”

Breaking down the proposal

As written, the proposed rules say that funds could satisfy the new due diligence requirements by checking a vendor’s references, interviewing its staff, obtaining written assurances from a vendor, winning the rights to audit the vendor or quizzing a would-be vendor on how well it knows the Investment Advisers Act.

Background checks would have to measure risk in six categories:

1. Nature and scope of services. Questions there can include: What are the licensing terms? How frequently is data delivered?

2. Potential risks. Can confidential data leak out?

3. Vendor’s competency, capacity and resources.

4. Vendor’s subcontracts. Does the adviser have visibility into sub-deals? Is the vendor required to report “any material incidents?”

5. Co-ordination. Will the vendor work with you to make sure you’re complying with federal laws and regulations?

6. Orderly termination. Contracts should have “reasonable timeframes to allow for timely transfer or destruction of any data.”

The rules would also revise existing books-and-records requirements so that funds would have to document and save their due diligence and ongoing monitoring. To comply with that part of the rule, funds would have to “obtain reasonable assurances” that any vendor can:

1. “Adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the recordkeeping rule applicable to the adviser in providing services to the adviser;

2. “Make and/or keep records that meet all of the requirements of the recordkeeping rule applicable to the adviser;

3. “Provide access to electronic records;

4. “Ensure the continued availability of records if the third party’s operations or relationship with the adviser cease…”

Funds would be required to “keep a list or other record of covered functions that the adviser has outsourced to a service provider and the name of each service provider, along with a record of the factors, corresponding to each listed function, that led the adviser to list it as a covered function.”

With reporting by Jennifer Banzaca