SEC Proposes New Outsourcing Regulation for Advisers

Publish Date


Compliance Alert


  • Compliance

The U.S. Securities and Exchange Commission (SEC) continues to issue new rules at a rapid clip with proposed Rule 206(4)-11 under the Advisers Act. The proposed rule requires investment advisers to ensure that critical third-party service providers have the competence, capacity, and resources necessary to do their job before being hired, and then periodically confirm that this is still the case. The proposed rule will also require advisers to maintain books and records evidencing their due diligence efforts.

Many advisers currently engage third-party service providers and have adopted policies and procedures requiring due diligence and ongoing monitoring. This new rule, however, introduces added complexity and cost to these activities. As a result, compliance will be a challenge for all advisers.

Key elements of the proposal

The SEC has taken a page out of the National Future Association's (NFA’s) book, which previously adopted NFA Compliance Rules 2-9 and 2-36, requiring its members to implement a supervisory framework over its outsourced functions to mitigate risks. Like the NFA’s rule, the proposal applies to service providers that perform a “covered function,” defined as: 

  1. A function or service that is necessary for the adviser to provide its investment advisory services in compliance with Federal securities laws, and
  2. Those functions that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser's clients or the adviser's ability to provide investment advisory services.

The SEC explicitly excluded clerical, ministerial, utility, or general office functions or services from the definition of “covered function.” 

The basic framework requires an initial determination to outsource, onboarding due diligence and ongoing monitoring, a process for ending the service provider relationship, and recordkeeping. 

Initial due diligence

First, an adviser must "reasonably identify and determine" through due diligence that outsourcing the covered function would be appropriate. Advisers must address the following areas in their due diligence of covered function service providers:  

  1. Nature and scope of services
  2. Potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks
  3. Service providers' competence, capacity, and resources necessary to perform the covered function
  4. Service providers subcontracting arrangements related to the covered function
  5. Coordination with the service provider for Federal securities law compliance
  6. The orderly termination of the service provider's services 

Ongoing due diligence

Next, the adviser must determine, through due diligence, that the service provider it selects is up to the task. This means advisers must periodically monitor the service provider's performance and reassess whether it continues to perform as expected.
Recordkeeping by third-party service providers

The proposed rule includes changes to the recordkeeping rule to include:     

  1. A list of covered functions outsourced and the service providers being used;
  2. Records documenting initial due diligence and monitoring of each service provider; and
  3. Advisers must obtain reasonable assurance that the third-party service provider can meet four standards:
    • Adopt and implement internal processes or systems for keeping records that meet the requirements of the recordkeeping rule applicable to the adviser;
    • Maintain records that meet the requirements of the recordkeeping rule applicable to the adviser; 
    • Provide access to electronic records; and 
    • Ensure the continued availability of records if the third party’s operations or relationship with the adviser cease.

Amendments to Form ADV 

The proposed rule includes amendments to Form ADV that require firms to disclose their outsourced service providers, indicating the functions the SEC considers “covered.” New section 7.C. in Schedule D would require disclosure of the following: 

  • Adviser / Subadviser
  • Client services
  • Cybersecurity
  • Investment guidelines
  • Restriction compliance
  • Investment risk
  • Portfolio management (excluding adviser / subadviser)
  • Portfolio accounting
  • Pricing
  • Reconciliation
  • Regulatory compliance
  • Trading desk
  • Trade communication and allocation
  • Valuation

SEC rationale for the proposed rule

The rule proposal addresses three main concerns. First, the SEC noted an increase in hiring third-party service providers by investment advisers. Although the SEC concedes the benefits of this practice, it is concerned about the risks outsourcing poses to both advisers and their clients, especially if the adviser does not conduct an appropriate level of due diligence and ongoing monitoring. Additionally, the SEC is concerned with potential systemic risks, “particularly where the failure of a single service provider would cause operational failures at multiple advisers.”

Second, the SEC also believes that advisers need to do more to vet and monitor their outside vendors. Although oversight of third-party service providers has long been considered part of an adviser’s fiduciary duty, the proposal indicates that the SEC is not happy with the current state of affairs. The proposing release states that a “consistent oversight framework across investment advisers is needed for outsourcing functions or services that are necessary for the investment adviser to provide its advisory services in compliance with the Federal securities laws.”

Finally, the SEC feels its ability to access an adviser’s required books and records under Advisers Act Rule 204-2 is compromised when a service provider maintains those records. Accordingly, the proposal requires that investment advisers obtain “reasonable assurances” from the service provider that it will adopt policies and procedures to create and maintain records on behalf of the investment adviser for the required retention period under Rule 204-2, provide access to such records for the required retention period, and “make arrangements” to ensure the continued availability of the records for the required period, even if the relationship with the adviser is terminated. 

Challenges for advisers 

The SEC notes that all registered investment advisers that outsource will have to follow this rule. SEC-registered smaller advisers will likely bear a greater burden, with annual time and cost estimates for small advisers to comply with the new rule to be close to 196 hours, with an aggregate cost of $27,698,987, or $58,808 per small adviser. Small advisers have the greatest incentive and need for outsourcing and benefit the most from it. Conversely, small advisers have the fewest resources to comply with new prescriptive regulatory requirements.

Interestingly, the SEC acknowledges that determining whether an outsourced function is "covered" by the rule is complicated and will cost advisers money just to do this initial analysis. Moreover, if advisers interpret "covered functions" too conservatively, they may end up spending money performing extensive due diligence when it's not required. 

“This analysis may be particularly costly for certain functions for which it may require thorough investigation to evaluate whether the function is necessary for the adviser to provide investment advisory services, or for which it may require thorough investigation to evaluate whether there would be a material negative impact on the adviser's clients or on the adviser's ability to provide investment advisory services if the function was not performed, or if performed negligently.”

Below are the SEC’s estimates* of the cost of complying with the provisions of the proposed rule: 

Cost (range) per requirement

Hours per adviser

Costs per adviser

Hours for all advisers

Total cost for all advisers

Initial burden of complying with rule 

440 - 1,320 hours

$132,320 - $396,960 per adviser

6,492,640 - 19,477,920

$1.953 - $5.858 billion

Ongoing due diligence range

49-147 hours

$14,702.22- $44,107 per adviser

721,404 - 2,164,213

$44,106.67 - $650,837,973

Initial recordkeeping

Not provided

Not provided



Ongoing recordkeeping requirements

Not provided

Not provided



Initial third-party recordkeeping requirements

88-264 hours

$26,464 - $79,392 per adviser

432,843 - 3,895,584

$130,167,595 - $1.172 billion

Ongoing third-party recordkeeping

29-88 hours

$8,821 - $26,464 per adviser


$130,167,595- $390,502,784

Initial update to Form ADV

1.5 hours




*Estimates have been rounded.

The SEC did not provide information on the potential costs to service providers since "the cost range would be too wide to be informative.”

One of the drivers of cost is analyzing what a “covered function" is. Because this term is vague, firms will engage consultants, outside counsel, and other experts to determine which third-party service providers meet this definition. The rule also includes other ambiguities, such as what it means to "reasonably identify and determine" through due diligence that it's appropriate to outsource the covered function. Advisers will also need to identify the risks involved in hiring the service provider and how to manage such risks. In addition to paying experts for their advice on these issues, firms will undoubtedly end up paying fines to the SEC for getting interpretations wrong.

The proposed rule includes “reasonable” language like the Compliance Program Rule (Rule 206(4)-7). Specifically, the Compliance Program Rule states that investment advisers must adopt and implement “written policies and procedures reasonably designed to prevent violations” of the securities laws. However, as shown by the many SEC settlements citing violations of the Compliance Program Rule, the SEC has trended towards applying a strict liability standard.  None of the settlements discuss whether the policies and procedures were reasonable. Instead, the SEC finds violations of the rule simply because of a securities law breach or a failure to follow procedures. There are other similar minefields in the proposed rule, including whether a firm has sufficiently identified potential risks from the service provider performing the covered function and how to mitigate and manage such risks. 

Another issue for advisers in complying with this rule is getting their service providers to provide “reasonable assurances” that they have processes or systems for keeping records that meet the Advisers Act recordkeeping requirements. Unfortunately, many service providers may not agree to comply with the SEC's recordkeeping requirements. And if they do agree, it will likely result in a fee increase to compensate them for this added requirement. Service providers may also charge to allow advisers continued access to records after the relationship is terminated. 

The SEC is listening

The SEC wants feedback from the industry on this rule proposal and has included 82 questions and ten pages of alternatives to the proposed rule’s requirements. The comment period is 30 days after publication in the federal register, or December 27, 2022, whichever is later. Comments can be submitted electronically using the Commission’s internet comment form (  or via email to (please include File Number S7-25-22 in the subject line). 

Key takeaways

No matter the outcome, this rule proposal indicates the SEC will take a closer look at how advisers vet service providers. We recommend taking an inventory of your firm’s current service providers and ranking them based on their function within the investment management process. Based on the proposal, firms should include third parties that provide the following services: 

  • Subadvisory
  • Client servicing
  • Cybersecurity
  • Assistance with monitoring investment guidelines and restrictions
  • Investment risk monitoring
  • Portfolio management
  • Portfolio accounting
  • Valuation
  • Reconciliation
  • Regulatory compliance
  • Trading

Firms should consider documenting why these services were outsourced and why the specific service providers were selected. 

In addition, firms should review the books and records maintained by third-party service providers and determine whether they would be able to produce required records during an SEC examination. Moreover, firms should consider what happens when a service provider is terminated. Will the service provider download the records in a format accessible to the adviser prior to termination? Should the adviser consider asking for periodic downloads of records to ensure its recordkeeping obligations are being met? Firms should know the answers to these questions before the SEC visits. Before onboarding any new service providers, firms should consider documenting the reason for outsourcing the service and their process for selection. 

Finally, firms should also consider removing any clauses in investment agreements that seek to limit the liability associated with acts and omissions of an engaged third-party service provider. The SEC may view this type of language as inconsistent with an adviser’s fiduciary duty and likely to mislead clients, especially retail, into not exercising their legal rights.

How we help

Our vendor management outsourcing service (VMOS) allows your company to offload the vendor due diligence and risk assessment process. Unlike other risk management solutions and vendor management software providers, ACA's VMOS will help your company save valuable time and resources in order to focus on more strategic tasks.

In addition, as one of the premier outsourced service providers to the investment adviser industry, ACA has extensive policies, procedures, and controls to ensure the quality of our outsourcing services for clients. Our reputation and brand for quality outsourcing across Advisory, Regulatory Technology (RegTech), and Managed Services will help investment advisers confidently meet the spirit and letter of the law of this proposed rule.

If you have any questions or would like to discuss how ACA can help your firm strengthen its vendor due diligence process, increase efficiencies through technology, and ensure your firm is meetings its regulatory obligations , please reach out to your ACA consultant, or contact us here.

Contact us