December 21, 2022
Via Email Only @ email@example.com
Ms. Vanessa Countryman
Securities and Exchange Commission
100 F Street, NE
Washington, D.C. 20549-1090
Re: Release No. IA-6176 – Proposed Rule Change to prohibit registered investment advisers (“advisers”) from outsourcing certain services or functions without first meeting minimum requirements
Dear Ms. Countryman:
I write on behalf of the Public Investors Advocate Bar Association ("PIABA"), an international bar association comprised of attorneys who represent investors in securities litigation. Since its formation in 1990, PIABA has promoted the interests of the public investor in all securities and commodities arbitration forums, while also advocating for public education regarding investment fraud and industry misconduct. Our members and their clients have a strong interest in rules promulgated by the Securities and Exchange Commission ("SEC") relating to both investor protection and disclosure.
Pursuant to Rule of Practice 192(a) of the Securities and Exchange Commission, PIABA submits this comment to the SEC concerning the SEC’s recent rule proposal to create rule 206(4)-11, amend rule 204-2, and amend the Form ADV. The proposed rule changes would affect the ability and duties around a registered investment adviser (“RIA”) contracting with a third party for various issues.
PIABA generally supports the rule proposal.
Generally, these proposed rule changes would establish regulatory standards against which RIAs who wanted to hire a third party to perform various functions could be measured. To begin, the idea that financial services firms should have to meet regulatory standards related to hiring third party vendors, but that the firm is still ultimately responsible for compliance, is not new or novel. Brokerage firms have long been regulated in their use of third party vendors, and FINRA has even recently reminded its members of those obligations.
FINRA Rule 3110 (Supervision) requires member firms to establish and maintain a system to supervise the activities of their associated persons that is reasonably designed to achieve compliance with federal securities laws and regulations, as well as FINRA rules, including maintaining written procedures to supervise the types of business in which it engages and the activities of its associated persons.
This supervisory obligation extends to member firms’ outsourcing of certain “covered activities”—activities or functions that, if performed directly by a member firm, would be required to be the subject of a supervisory system and WSPs pursuant to FINRA Rule 3110.2
Notice 05-48 reminds member firms that “outsourcing an activity or function to … [a Vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.” Further, Notice 05-48 states that if a member outsources certain activities, “the member's supervisory system and [WSPs] must include procedures regarding its outsourcing practices to ensure compliance with applicable securities laws and regulations and [FINRA] rules."
FINRA, Regulatory Notice 21-29. As a result, this type of rulemaking is neither new nor novel in the financial services industry, nor has it resulted in some onerous burden which pushed firms out of the business as some RIAs claim.
Scope of the Rule
The scope of the proposed rule for a “covered function” is broad and flexible; including any “function or service that is necessary for the investment adviser to provide its investment advisory services in compliance with the Federal securities laws, and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.” A covered function does not include clerical, ministerial, utility, or general office functions or services. A definition like this is helpful in making the rule flexible as the industry continues to develop. The list of functions that a third party vendor might offer to an RIA today is different from what may be offered ten years from now. By leaving this definition flexible, it protects from potential future holes in the rule which could develop in services which the SEC did not predict would be potential concerns.
PIABA is, however, concerned that the proposed definition of a covered function that excludes “clerical, ministerial, utility, or general office functions or services” might create inconsistencies with SEC record keeping rules. RIAs already have a variety of record keeping rules.1 Ultimately, the obligation to maintain those records is and must be borne by the RIA. This should not be changed or affected by a situation where an RIA engages a third-party vendor to fulfill some or any of the functions, such as maintaining copies of written communications with customers. A vendor hired to, for instance, maintain the records for the RIA of all written agreements with clients, communications with clients, and grants of discretionary authority for clients, could arguably be excluded from the covered function definition as merely “ministerial, utility, or general office function.”
A RIA should be required to vet any vendor fulfilling any function necessary to comply with its regulatory obligations. Moreover, ensuring that the covered function definition includes all required record-keeping would simply mirror the requirement already in place for brokerdealers on the issue. FINRA has disciplined firms for failing “to perform adequate due diligence to verify Vendors’ ability to maintain books and records on behalf of member firms” as well as for “violations of Books and Records rules and related supervisory obligations involving Vendors, including, but not limited to, failing to preserve and produce business-related electronic communications (including emails, social media, texts, instant messages, app-based messages and video content) due to: Vendors’ system malfunctions; Vendors’ data purges after termination of their relationship with firms; Vendors failing to correctly configure default retention periods resulting in inadvertent deletions of firm electronic communication for certain time periods; Vendors’ system configurations making deleted emails unrecoverable after 30 days; Vendors failing to provide non-rewriteable, non-erasable storage; and Firms failing to establish an audit system to account for Vendors’ preservation of emails.”2 There is no reason why RIAs shouldn’t be held to the same standard that brokerage firms already are.
Ultimately, all of these rules are in place for investor protection. If applicable regulations are ignored, claimants would be affected in their ability to prosecute claims for wrongdoing and regulators would be affected in their ability to conduct investigations of potential misconduct. It makes no difference whether the regulations were ignored by a third-party vendor or the RIA itself.
Beyond the potentially conflicting obligations discussed above, PIABA supports the rule proposal for its stated purpose of ensuring that RIAs do not attempt to outsource responsibilities without appropriate due diligence concerning, and supervision of, the vendor. Ultimately, clients entrust their monies with a RIA and trust it will fulfill its obligations to give appropriate investment advice and management of those funds. To the extent any functions are being outsourced, whether that includes complex calculations and modeling, due diligence on products for sale, or doing background checks on staff being hired, the clients are ultimately the one who bear the risk of failure. Clients have no ability to conduct the due diligence and oversight of a vendor; they expect the RIA with whom they chose to invest will ensure that all aspects of the services will be provided in an appropriate fashion. By setting minimum standards and explicitly holding RIA’s liable for any vendor failures, this rule simply formalizes what clients already expects to be done.
PIABA thanks the Commission and FINRA for the opportunity to comment on this proposal.
Very Truly Yours,
President, Public Investors Advocate Bar Association
1 See 17 CFR § 275.204-2.
2 FINRA, Regulatory Notice 21-29.