SEC examiners began asking private funds to explain how closely they monitor their outside vendors months before the Commission proposed sweeping new rules cracking down on outsourcing in the industry, RCW has learned.

Regulators have long asked firms about outside contracts during exams. If they’re worried about cybersecurity, say, examiners ask firms about any vendors they use, and the contracts they sign. Since April, though, after the SEC sent out a risk alert on insider information in the industry, examiners’ questions have gotten broader and deeper, compliance lawyers tell RCW. They’ve also gotten a lot more pointed about how firms police those outside services.  Several compliance experts say there has been a noticeable uptick in questions about private funds’ outside vendors.

“They don’t want to see diligence done once, they want some kind of regular, annual update,” says Kerry Potter McCormick, a partner in Barnes & Thornburg’s New York office, who sat down for an interview with RCW weeks before the SEC put the outsourcing rules on its open meeting agenda.

In late October, a divided Commission voted to put new proposed outsourcing rules out for public comment. Among other things, the rules would require registered IAs to check their vendors’ background when they hire them, and then “periodically” after that. “As a fiduciary, an investment adviser cannot just ‘set it and forget it’ when outsourcing,” regulators say in the rulemaking notice (RCW, Oct. 27, 2022).

The risk beneath

The proposed rules, if adopted as written, could hit registered private fund advisers in the solar plexus. More than three-fourths of them use at least one third-party administrator, according to SEC records. The new rules will cost each firm at least $132,000 to implement, and then another $44,000 per year to keep up to date, the Commission says in its rulemaking notice. The widening exam questions suggest that the threat here isn’t just hypothetical.

Craig Moreshead, a partner at the ACA Group, says he’s noticed an “incremental” increase in exam questions about outside vendors in the past few months. The new rule proposal, he said, may well “raise the temperature” in the industry, but it ought to be seen as a reminder that compliance isn’t a cut-and-paste operation.

“A lot of risk at registered investment advisers lies underneath, at the service provider level,” he tells RCW. “If there’s a problem with a service provider—such as a lack of cyber-controls—those risks can of spill over onto the RIA. It’s certainly important for investment advisers to have a handle on what their service providers are doing and to regularly have a temperature check.”

Regulators have been particularly interested in private funds’ “override practices,” Moreshead says. If a valuation firm comes back with a recommendation but the fund rejects it, regulators will want to know why, Moreshead says. It’s important advisers show their work.

‘You should be finding out’

Potter McCormick

Examiners are also taking closer looks at alternative data contracts, Potter McCormick says. Regulators seem worried about consolidation in the alternative data industry, and whether that might create conflicts of interest. Some questions ask how advisers make sure the information they’re getting isn’t coming from material, non-public sources, she says.

“They want to see if your front office is stacking up one or more huge wins based on alternative data,” she says. “They want to see you increasing focus on what specifically happened there, especially if you have a new win from the same source. If something is happening, you should be finding out what’s happening.”

Risk alerts

Advisers had been on notice that this kind of thing might be coming. In January, the Commission issued its second-ever risk alert for private funds. Advisers, regulators claimed, weren’t conducting “reasonable investigations” into their investments or funds. They often “failed to perform adequate due diligence on important service providers, such as alternative data providers and placement agents,” regulators claimed (RCW, Jan. 28, 2022).

Four months later, the Commission issued a fresh risk alert, this one for the entire investment adviser industry. Too many firms used “ad hoc and inconsistent diligence” on alternative data contracts, regulators said (RCW, April 29, 2022).

“In addition,” regulators said in the April alert, “staff observed advisers that had an onboarding process for alternative data service providers but did not have a system for determining when due diligence needed to be re-performed based on passage of time or changes in data collection practices.”

The proposed rules don’t mention alternative data providers directly. But the proposal says that “covered functions” could include “investment research and data analytics, trading and risk management, and compliance.”

‘What precisely is the problem?’

Uyeda

Critics of the proposed rules—Republican Commissioners Hester Peirce and Mark Uyeda are two of them—say they’re needless, wasteful, and will land especially hard on small firms. “What precisely is the problem this proposal is trying to correct?” Peirce asked in her dissent.

Those critics may have to wait for the Division of Examinations to get their answer. Regulators cite six different enforcement cases in footnotes to the proposed rule. Uyeda isn’t impressed by any of them.

“Tellingly, the observations cited in the proposing release as a basis for proposing this rule do not appear to describe service provider failures that would have been prevented had the rule been in effect,” he said.

Practice tips

For now, fund advisers can ask their would-be contractors a few questions of their own, Moreshead says. He recommends you start in three areas:

  • Business continuity planning. “Do they do annual tests on their business continuity?” Moreshead says. “Have they have had any actual disasters? What did those events reveal?”
  • Cybersecurity. “Have they done a risk assessment?” Morsehead says. “Do they have cybersecurity insurance?”
  • Bad actors. If the vendor is a broker-dealer, check them on FINRA’s Brokercheck If it’s an investment adviser or sub-adviser, pull their ADVs. You want to look for disciplinary history, Moreshead says.

Past is prologue?

The last time the SEC made this much noise about industry outsourcing was in 2015. Back then, the Commission proposed rules that would have required fund advisers to report whether their chief compliance officers were contractors (RCW, May 28, 2015).

While those rules were pending, examiners swept 20 firms that relied on outside CCOs. Two things followed that sweep. The first was a risk alert, published that November. It warned industry that too many contractors were selling off-the-rack compliance services that didn’t line up with firms’ actual risks (RCW, Nov 9, 2015).

The second thing was a new rule that put question 1.J on Form ADV. Question 1.J asks firms to explain whether their CCO is a contractor or in-house. SEC staff had “observed a wide spectrum of both quality and effectiveness of outsourced chief compliance officers and firms,” regulators wrote at the time (RCW, Aug. 25, 2016). “Identifying information for these third-party service providers, like others on Form ADV, will allow us to identify all advisers relying on a particular service provider and could be used to improve our ability to assess potential risks.”