On Wednesday, Oct. 26, 2022, the Securities and Exchange Commission (SEC) proposed a new rule and amendments regarding the due diligence of service providers. The proposal contains specific due diligence requirements that RIAs must fulfill when using third-party service providers to conduct what the SEC calls “covered function[s].” The SEC defines “covered functions” as “a function or service that: (1) is necessary to provide advisory services in compliance with the Federal securities laws, and (2) if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.” The proposed rule includes the following requirements for service provider due diligence:
Initial Due Diligence. Prior to outsourcing a covered function to a third-party vendor, RIAs must “reasonably identify and determine through due diligence” that the vendor would appropriately carry out the covered function. To do so, RIAs would be required to consider the following in their initial due diligence:
- The covered function’s nature and scope;
- Potential risks of a service provider performing the covered function, including mitigation of such risks;
- The service provider’s capacity to provide the covered function;
- The service provider’s “material subcontracting arrangements” that would help it provide the covered function;
- The service provider’s capacity to comply with Federal securities laws; and
- Orderly termination by the service provider of the covered function’s performance.
Ongoing Due Diligence. The proposed rule would also require periodic ongoing due diligence of vendors that provide a covered function.
Recordkeeping. Requirements for RIAs to maintain records of due diligence and monitoring.
Form ADV Reporting. Under the proposed rule, RIAs would be required to identify all of their service providers that provide covered functions. RIAs would also need to report other basic information on such vendors and their services.
Third-Party Recordkeepers. For vendors that provide recordkeeping functions, the proposed rule imposes additional due diligence and monitoring provisions. RIAs would be required to conduct due diligence to ensure that the vendor will be capable of:
- Maintaining internal procedures for producing and retaining records on the RIA’s behalf that complies with the recordkeeping rule;
- Producing and retaining records that comply with the adviser’s recordkeeping rule requirements;
- Allowing the adviser to access electronic records; and
- Allowing the adviser to access electronic records even after the vendor’s contract with the adviser terminates or if the vendor goes out of business.
The public comment period on this proposed rule will remain open for at least 60 days after October 26, 2022. Click here to read the full SEC press release.
What does this mean for me?
While this is only a proposal at this point, these changes could be seen in 2023. Advisers should take note of where regulators are focusing attention and the practices targeted by this proposal. Fairview® will continue to monitor SEC announcements, new regulations, and trends in examinations to keep you abreast of changes that impact your business.
If you have any questions about vendor due diligence, Fairview Cyber can help. We assist firms in implementing a vendor due diligence program and provide essential cyber and data security services like phishing prevention training, internal and external vulnerability scans, and more. Contact us today for more information about our services.
Fairview® provides full-service compliance support for registered investment advisers by creating and implementing comprehensive, sustainable compliance programs, ongoing testing, and evaluations to ensure firms are remaining compliant with SEC regulations. If your firm requires assistance with understanding and implementing SEC regulations, we can help. Contact us today for more information about our services.