SEC Proposes New Outsourcing Rule: How TPRM Can Help Investment Advisers Prepare

New amendments proposed by the Securities and Exchange Commission (SEC) will prohibit registered investment advisers from outsourcing covered functions to third-party providers without conducting diligence and monitoring. Though investment advisers have been outsourcing third-party services for decades, the SEC has proposed these new amendments to ensure that they fulfill their clients' obligations. 

What does this mean for investment advisers, and how can you prepare for the changes ahead? Let's look at some of the proposed requirements and how your organization can prepare to comply.

Why Is Third-Party Oversight Important?

Without proper oversight, outsourcing products or services necessary to provide investment advisory services can expose an organization and its clients to various threats. A few examples of these threats include cyber breaches, financial losses, reputational damage, compliance violations, operational disruptions, and legal action. For example, a service provider with lax cybersecurity practices could result in the loss or misuse of a client's information. And suppose a service provider has poor or missing compliance controls. In that case, there may be an inability to prevent fraudulent, deceptive, or manipulative activities committed by employees and others.

To combat these risks, the SEC's proposed amendments require investment advisers to perform due diligence and monitoring activities to verify that the vendor aligns with their obligations to their clients. For many investment advisers, these activities may seem unfamiliar or overwhelming, and your organization might not know where to start. So, let's look at these new requirements and how investment adviser organizations can prepare to comply with these amendments.

How Can Your Organization Prepare for Compliance?

Under the amendments, your organization should be performing due diligence and monitoring any service provider providing a covered function. The SEC defines a covered function as:

• Those necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws
• Those that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser's clients or on the adviser's ability to provide investment advisory services.

The SEC has identified multiple examples of covered functions, including: 

• Adviser/sub adviser client services
• Cybersecurity
• Investment risk
• Pricing
• Portfolio accounting
• Record keeping
• Trade communication and allocation
• Valuation
• Technology or services related to an adviser’s investment decision-making processes

Identifying your outsourced covered functions and the service providers responsible for them is a good first step in preparing for the proposed rule. From there, it is important to understand the scope and scale of the due diligence and monitoring requirements.

Understanding the Requirements

The SEC has detailed expectations for due diligence and monitoring. Your processes must account for the following:

Due diligence:

• Identifying and documenting the nature and scope of the services
• Identifying and assessing the potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks
• Evaluating the service provider's competence, capacity, and resources necessary to perform the covered function, which may include the review and assessment of:
  •  Due diligence questionnaires
  • A summary of a service provider's business continuity plan
  • An assurance report on controls by an independent party,
  • Certifications or other information regarding a provider's operational resiliency or implementation of compliance policies, procedures, and controls relating to its systems,
  • Results of any testing
  • Conducting periodic onsite visits
  • Additional information relevant to the scope and risks of the product or service
    
    
• Business continuity and disaster recovery plans
• Certifications that verify the provider's resiliency or system controls
• Penetration testing results
• On-site visits

Monitoring requirements:

Upon engaging a service provider, the proposed rule requires the adviser to periodically monitor the service provider's risk profile and performance. Monitoring should occur in a manner and at a frequency that allows the adviser to determine if it remains appropriate to continue outsourcing the covered function to the specific service provider

Once you've identified your covered functions and the associated service providers and understand the new requirements, it's necessary to identify how to execute the necessary processes.

For organizations that already have a third-party risk management program in place, it will be easier to comply with the proposed rule and its due diligence and monitoring requirements. After all, due diligence and monitoring are part of the third-party risk management lifecycle and will automatically be part of any healthy third-party risk management program.

Meanwhile, advisers without any third-party risk management processes may find a lot more work ahead of them to begin executing these practices. Still, working to implement a third-party risk management program before the proposed rule becomes effective can be a sound strategy. A robust TPRM program will help advisers comply with the proposed SEC rule and continue to support overall regulatory compliance now and in the future. TPRM programs also provide other benefits, helping your organization protect sensitive data, preserve your operational resiliency, and safeguard your hard-won reputation.