Blog > The Time to Act Is Now: A Guide to Navigating the SEC’s Proposed Rule on Third-Party Vendor Due Diligence

The Time to Act Is Now: A Guide to Navigating the SEC’s Proposed Rule on Third-Party Vendor Due Diligence

Is your firm ready for the SEC's proposed rule on third-party vendor due diligence? Key considerations to keep in mind.
Businessperson in suit signs contract over a world map hologram.

Did you enjoy this post? Share it with your network to spread these insider tips! Click a social icon and tag us @ArootahCoach

Proper assessment, selection, and monitoring of your third-party service providers has always been an integral responsibility for firms on both the buy-side and sell-side within financial services. The vendors with whom you engage are often seen as an extension of your business given the key role they play. Fund administrators, information technology (IT) service providers, counterparties, and archiving services are just some of the many examples of service providers hedge funds and investment firms rely on.  

But what has always been a “best practice” for firms may soon become a requirement.   

On October 26, 2022, the Securities and Exchange Commission (the “SEC”) proposed a new rule (the “Rule”) and rule amendments under the Investment Advisers Act of 1940 (collectively, the “Proposed Rule”) to prohibit registered investment advisers (RIAs) from outsourcing certain services and functions without conducting due diligence and monitoring of its service providers. 

In light of these proposed rule changes and against the backdrop of an ever-evolving regulatory landscape, what should you do to conduct third-party due diligence on your mission-critical vendors?   

SEC’s Proposed Rule on Third-Party Vendor Due Diligence: Key Considerations for Investment Firms

While the increased scrutiny surrounding vendor due diligence is most applicable to hedge funds and investment firms that are RIAs with the SEC, the SEC’s new rule will impact all firms. A best-in-class, missioncritical, third-party vendor due diligence program should confirm/obtain, when applicable and appropriate, documentation of third-party infrastructure that mitigates risks to your firm. Firms under the purview of the SEC would need to obtain, when available, a SOC-1 T2 report (detailing all services per fund, portfolio management, accounting, and administration), a documented cybersecurity plan, as well as a given vendor’s business continuity/disaster recovery plan. The SEC is proposing that RIAs, including private fund advisers to undertake due diligence assessments before engaging service providers, including affiliated service providers, for certain “core” advisory-related services or functions, and to regularly monitor the service provider’s performance, while reassessing the appropriateness of a given outsourcing arrangement.  

Due Diligence Requirements of the Proposed Rule

The SEC proposal would require periodic monitoring and reassessment of a service provider’s performance and whether the arrangement continues to be appropriate under the due diligence requirements of the Proposed Rule. 

The Rule defines “service provider” as a person (other than an adviser employee) or entity performing one or more Covered Functions. While the SEC expressly excludes clerical, ministerial, utility, or general office functions or services as “Covered Functions,” many affiliated and unaffiliated service providers are covered under it and the rule makes no distinction between them. The Release includes the following, non-exclusive list, of potential Covered Functions:  

  • Adviser/Subadvisor 
  • Client Services 
  • Cybersecurity 
  • Investment Guideline/Restriction Compliance 
  • Investment Risk 
  • Portfolio Management (excluding Adviser/Subadviser) 
  • Portfolio Accounting 
  • Pricing 
  • Reconciliation 
  • Regulatory Compliance 
  • Trading Desk 
  • Trade Communication and Allocation 
  • Valuation 

However, additional functions could be Covered Functions, and Form ADV includes a checkbox for “other” and a free-writing field for advisers to define a Covered Function that is not among those enumerated. 

The Proposed Rule would require RIAs with the SEC to conduct a due diligence review before outsourcing any Covered Function, including a new Covered Function, to an existing service provider. Specifically, an adviser must reasonably identify and determine that it would be appropriate to outsource the Covered Function, and that it would be appropriate to select that particular service provider by following a due diligence process that consists of identifying: 

  1. The nature and scope of the Covered Function the service provider is to perform 
  2. Potential risks to clients or the adviser’s ability to perform its advisory services resulting from engaging a service provider (and that particular service provider) to perform the Covered Function, including how to mitigate and manage such risks 
  3. Red flags in competency of the service provider to perform a Covered Function 
  4. Any material subcontracting arrangements of the service provider related to the Covered Function 

Each RIA with the SEC has a fiduciary duty to conduct reasonable due diligence with respect to any third-party vendor who will provide services that will directly affect its investors and the private funds in which they invest so that all financial services firms have a reasonable documented basis for choosing a given third-party vendor going forward. A firm’s duty to conduct proper due diligence generally increases with the complexity and uniqueness of the service provided. As they gather additional cumulative data from SEC exam results and enforcement actions, the Commission is expected to provide more commentary, new Risk Alerts, and the implementation of grace periods in 2023 for all firms under its regulatory scope to implement more robust infrastructure in response to the Proposed Rule. 

Get the latest news and leadership insights for hedge fund and family office professionals. Sign up for The Capital Return newsletter today.

By providing your email address, you agree to receive email communication from Arootah

Fiduciary Duty and Best Practices for Investment Firms

Investment firms have a fiduciary duty to seek the best third-party vendors for their clients. From selecting counterparties for executing transactions to retaining an IT vendor to assist with the best cybersecurity practices, the firm must always attempt to confirm it’s obtaining trustworthy and reputable third-party vendors.  

In light of the Proposed Rule, fiduciaries should consider the following: 

  • Develop a well-defined plan for conducting both initial and ongoing due diligence 
  • Establish and prioritize the criteria upon which to evaluate service providers considering the full range and quality of services, including capability, costs, responsiveness, and security, among several other dispositive factors 
  • Formalize the methods for conducting due diligence including checklists, standardized questionnaires, on-site visits, and review of customer complaints/testimonials 
  • Design a system to keep track of due diligence findings, making sure to keep track of areas of concern, changes in the service provider’s answers, frequency of ongoing due diligence, and other relevant information 
  • Prepare a plan as to what you will do, how you will determine when a change is necessary, and how you will respond to any findings, including your communication with clients, regulators, and stakeholders  

The Bottom Line

While the SEC has yet to speak to the exact implications of the Proposed Rule, what’s clear is that vendor due diligence is more important than ever for managers, investors, and other stakeholders. That means planning and preparation are key to implementing a process that not only meets your business needs but also any regulatory requirements. Arootah’s Business Advisory has the tools and experienced industry experts you need to prepare and implement these mission-critical steps. Book a no-obligation 30-minute consultation to see how we can support your firm. 

Sources

Outsourcing by Investment Advisers, SEC Rel. No. IA-6176 (Oct. 26, 2022).

The Release includes the following, non-exclusive list, of potential Covered Functions: Advisor / Subadvisor; Client Services; Cybersecurity; Investment Guideline / Restriction Compliance; Investment Risk; Portfolio Management (excluding Advisor / Subadvisor); Portfolio Accounting; Pricing; Reconciliation; Regulatory Compliance; Trading Desk; Trade Communication and Allocation; and Valuation. However, additional functions could be Covered Functions, and Form ADV includes a check-box for “other” and a free-writing field for advisers to define a Covered Function that is not among those enumerated.

Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews, SEC Rel. No. IA-5955 (Feb. 9, 2022).

Disclaimer: This article is for general informational purposes only and does not constitute legal, investment, financial, accounting, or tax advice, or establish an attorney-client relationship. Arootah does not warrant or guarantee the accuracy, reliability, completeness, or suitability of its content for a particular purpose. Please do not act or refrain from acting based on anything you read in our newsletter, blog, or anywhere else on our website.

Disclaimer: This article is for general informational purposes only and does not constitute legal, investment, financial, accounting, or tax advice, or establish an attorney-client relationship. Arootah does not warrant or guarantee the accuracy, reliability, completeness, or suitability of its content for a particular purpose. Please do not act or refrain from acting based on anything you read in our newsletter, blog, or anywhere else on our website.

Subscribe
Notify of

What are your thoughts?

Leave a comment with your thoughts, questions, compliments, and frustrations. We love to socialize in a constructive, positive way.

Are You Human?

 
Please verify.
Validation complete 🙂
Validation failed 🙁

0 Comments
Inline Feedbacks
View all comments