- Headspace
- Posts
- Getting by with a Little Help from Friends
Getting by with a Little Help from Friends
The Use & Management of Outsourced Service Providers
Paul Felsch
August 29, 2024
EXECUTIVE SUMMARY
Proposed in 2022, the Outsourcing Rule was recently prioritized by the SEC for finalization by October of this year. Though not a particularly complex Rule, advisers should nevertheless be prepared for increased regulatory scrutiny on their third-party risk management practices and programs.
In addition to the requirements of the proposed Outsourcing Rule (which likely will not be significantly different in the Rule’s final version), advisers should be clear within their organizations regarding what outsourcing risks are, as well as risks attached to certain third-party service providers that may be under consideration for outsourcing or are actively in use.
Advisers should also have clear, explainable, and documented due diligence and oversight methodologies for certain outsourced service provider engagements.
Last, advisers should consider implementing some form of a third-party risk management governance framework (depending on and commensurate with the size and complexity of their organization) to ensure that outsourced engagements are subject to appropriate vetting and monitoring.
INTRODUCTION
In July, the SEC’s Office of Information and Regulatory Affairs published its Spring 2024 regulatory agenda, reflecting the priorities of SEC Chair Gary Gensler for the balance of this year. Among many items, the SEC’s proposed rule regarding outsourcing by investment advisers (“Outsourcing Rule”) gained attention; the SEC has prioritized the Outsourcing Rule to be finalized this October. With myriad other rules having been proposed and finalized in this past two-year period, among other industry regulatory actions and events, the Outsourcing Rule appears to have received far less attention from our industry by comparison.
This month’s essay is intended to not only refresh investment managers on the key aspects of the proposed Outsourcing Rule (given October is on the near horizon), but also provide insights into sound third-party risk management frameworks and practices irrespective of specific regulatory standards. Such practices will likely come under new and closer scrutiny by the SEC with the likely adoption of the Outsourcing Rule. Additionally, bodies such as fund and corporate boards will likely need to understand what customary third-party risk management standards are to adequately oversee their investment managers’ outsourcing practices.
To these ends, this essay provides the following (among other content):
A refresher on the key aspects of the proposed Outsourcing Rule,
Common third-party due diligence and ongoing oversight practices,
Typical elements of a third-party engagement life cycle, and
Third-party risk management governance framework components.
THE OUTSOURCING RULE
The Outsourcing Rule, if adopted as proposed, has several key aspects that would form the basis of an adviser’s third-party risk management program and its attendant life cycles. Though not necessarily comprehensive, the Rule has general alignment with sound risk management practices. As such, the Outsourcing Rule is instructive in many respects.
Covered Functions & Service Providers
The Outsourcing Rule is designed to prohibit advisers from outsourcing “covered functions" to “service providers” without meeting certain minimum requirements (more fully described below). A “covered function” is a function or service that is necessary for the investment adviser to provide its investment advisory services in compliance with the Federal securities laws, and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services. The Rule proposal provides the following non-exclusive checklist of “covered functions” that, if outsourced, would be subject to the Rule’s requirements (other functions could fall within the purview of the Rule depending on the facts and circumstances).
TABLE 1: COVERED FUNCTIONS
Adviser/Sub-adviser | → Reconciliation |
Client Servicing | → Regulatory Compliance |
Cybersecurity | → Trading Desk |
Investment Guideline/Restriction Compliance | → Trade Communication & Allocation |
Investment Risk | → Valuation |
Portfolio Management (excluding adviser/sub-adviser) | → Pricing |
Portfolio Accounting | →Other (facts & circumstances dependent) |
In terms of functions that would not be subject to the Outsourcing Rule, the proposal excludes “clerical, ministerial, utility, or general office functions or services” from the definition of covered function. For example, lease[s] of commercial office space or equipment, use of public utility companies, utility or facility maintenance services, or licensing of general software providers of widely commercially available operating systems, word processing systems, spreadsheets, or other similar off-the-shelf software would not be considered covered functions. Attorney-client relationships are another example of what would be excluded.
Outsourcing Conditions
Under the proposed Outsourcing Rule, advisers would be prohibited from outsourcing a “covered function” without fulfilling certain requirements. The Rule outlines the following areas for advisers to adhere to in connection with the outsourcing of “covered functions.
TABLE 2: OUTSOURCING CONDITIONS
Pre-Engagement Due Diligence | → Nature & Scope of Covered Function Identify the nature and scope of the covered function the service provider is to perform. → Risk Analysis & Management Identify and determine how the adviser will mitigate and manage the potential risks to clients or the adviser’s ability to perform its advisory services resulting from engaging a service provider to perform a covered function. → Competence, Capacity & Resources Determine that the service provider has the competence, capacity, and resources necessary to perform the covered function. → Sub-Contracting Arrangements Determine if the service provider itself has any sub-contracting arrangements that would be material to the provider’s performance of the covered function, and if so, identify and determine how the adviser will manage and mitigate the risks attendant to such sub-contracting. → Compliance Coordination Obtain reasonable assurance from the service provider that it is able to and will coordinate with the adviser for purposes of the adviser’s compliance with federal securities laws that may be applicable to the covered function. → Orderly Termination Obtaining reasonable assurance from the service provider that it is able to and will provide a process for orderly termination of its performance of the covered function (should the time come). → Recordkeeping Obtain reasonable assurance from the service provider that it is able to fulfill the adviser’s obligations to comply with books & records requirements of the Advisers Act. Also maintain records of the due diligence that has been conducted to evidence such due diligence. |
Ongoing Monitoring | → After an engagement has begun, periodically monitor the service provider’s performance of the covered function to assess the items noted as part of the pre-engagement due diligence process. → Determine that it is appropriate to continue outsourcing generally, and outsourcing to the specific service provider → The manner and frequency of the ongoing monitoring may be determined by the adviser. |
Third-Party Recordkeeping | → If an adviser relies on a third-party to keep any books and records required by the Advisers Act, perform pre-engagement due diligence and ongoing monitoring of the record keeper consistent with the above requirements. Ensure access to such records during the engagement and after the engagement has terminated. |
Form ADV | → Disclose in Form ADV whether the adviser outsources covered functions to service providers, as well as disclose the service provider’s: name, address, whether it is a related person of the adviser, the date it was first engaged to provide the covered function, and the type of covered function provided. |
PRE-ENGAGEMENT DUE DILIGENCE & ONGOING MONITORING PRACTICES
As noted above, the Outsourcing Rule does not prescribe any requirements for how pre-engagement due diligence or ongoing monitoring of service providers should be conducted. Rather, it leaves it up to the adviser to determine the best approach based on the nature of the function being provided and corresponding risks. Notwithstanding this lack of prescription, there are many common and long-standing due diligence and ongoing oversight practices an adviser may employ to fulfill its due diligence obligations under the Outsourcing Rule.
Service Provider Risk Considerations
The nature, breadth, and depth of an adviser’s due diligence should generally be determined by a combination of the nature of the covered function being performed, along with the particulars of a given service provider itself. While specific practices an adviser can employ are discussed below, some examples of the types of risks an adviser should account for when calibrating its initial and ongoing due diligence process – either in terms of their likelihood or even basic relevance/applicability – are as follows.
Under the proposed Outsourcing Rule, advisers would be prohibited from outsourcing a “covered function” without fulfilling certain requirements. The Rule outlines the following areas for advisers to adhere to in connection with the outsourcing of “covered functions, see table 3, below.
TABLE 3: RISK CONSIDERATIONS
Information Misuse | → The service provider misusing sensitive or material non-public information to which it has access. |
Complexity | → The complexity of the function being outsourced. |
Reliability | → The reliability and accuracy of the service or function delivered by the service provider. |
Concentration | → Extensive use of the service provider by the adviser, the adviser’s affiliates, or industry as a whole. |
Alternatives | → Available alternatives in the event the service provider fails or is unable to perform the service. |
Speed | → The speed with which a function could be moved to a new service provider. |
Conflicts | → Conflicts of interests of the service provider. |
Transparency | → The service provider’s unwillingness to provide transparency and access to information needed to understand how the service provider (a) performs its functions and (b) is performing its functions. |
Proprietary Technology | → The extent to which the service provider is using proprietary technology to perform a critical covered function for the adviser, and therefore, the criticality of the service provider to the adviser. |
Control Environment | → The service provider’s documented control environment |
Violation History | → The service provider’s audit, compliance violation, and regulatory examination history. |
Litigation | → Private action history against the service provider in relation to the services being provided. |
Financial | → The financial soundness and stability of the service provider. |
Information Security | → The service provider’s information and cybersecurity practices and their effectiveness. |
Business Continuity | → The service provider’s business continuity planning program and its effectiveness. |
AI/GenAI | → The service provider’s use of AI or GenAI in the performance of the covered function. |
Sub-Contractors | → The service provider’s own use of sub-contractors to perform a covered function and its attendant oversight methodology and framework. |
Pre-Engagement Due Diligence & Ongoing Oversight/Monitoring Methodologies
As mentioned, the Outsourcing Rule does not prescribe the manner in which pre-engagement due diligence or ongoing monitoring must be performed. However, there are common, long-established practices an adviser may employ that would assist the adviser in selecting service providers, monitoring their performance, and understanding the risks attached to certain service provider relationships. For ongoing monitoring and oversight in particular, it is important to note that the nature of the monitoring and oversight performed can modulate depending on the service provider’s performance of the outsourced function, as well as any increase or decrease in a service provider’s risk profile. Commonly employed pre-engagement due diligence and ongoing oversight and monitoring practices include the following, see Table 4, below.
TABLE 4: THIRD-PARTY DUE DILIGENCE PRACTICES
PRE-ENGAGEMENT DUE DILIGENCE | ONGOING MONITORING & OVERSIGHT |
|---|---|
Use of Due Diligence Questionnaires (narrative-based with supporting documentation) | Use of Compliance Certifications & Periodic Questionnaires (changes or exception-based with supporting documentation as needed, such as for policy & procedure changes, etc.) |
Reviews of Policies & Procedures | Daily, Weekly, Monthly or Other Periodic Monitoring, as Appropriate (e.g. if the outsourced function is a daily function such as trading, reconciliation, etc.) |
Systems Demonstrations | Review of Policy & Procedure Changes |
Process Walk-Thru’s (including onboarding, live-relationship, offboarding) | Review of Policy, Procedure, or Contractual Violations (if any) |
Review of Policy Violations & Regulatory Examination Deficiencies (e.g. exam letter inspections) | KPI Reviews |
Review of Independent Audit Results (e.g. SOC1’s, etc.) | Issues & Errors Tracking & Reporting |
Onsite or Virtual Meeting with Key Personnel (including “boots on the ground”) | Review of Independent Audit & Regulatory Examination Results |
Premises Security and “Walling” Inspections | Periodic Onsite or Virtual Meetings with Key Personnel, as well as Ad Hoc Meetings (as needed) |
Commemoration of Due Diligence Observations | Commemoration of Ongoing Monitoring Observations |
THIRD-PARTY RISK MANAGEMENT FRAMEWORKS
In order to ensure that the requirements of the Outsourcing Rule would be complied with, as well as ensure that all stakeholders within an adviser who have an obligation or interest in evaluating a prospective or a service provider are sufficiently involved in the outsourcing life-cycle, an adviser should consider establishing a structured third-party risk management framework. Studies have shown that in most organizations, service provider oversight is a shared responsibility amongst in-house subject matter experts, and most organizations have established frameworks that govern third-party risk management processes.
Third-Party Life Cycle
The Outsourcing Rule touches upon this to a degree, but at a more practical level, an adviser should think of all outsourced/third-party engagements in the context of a life-cycle, ranging from the initial evaluation phase regarding whether it makes sense to outsource, all the way through to the termination or cessation of an outsourced relationship. The following diagram depicts the typical elements of the third-party risk management cycle.
Third-Party Risk Management Framework
Each stage of the third-party life cycle should typically fall into a governance framework that governs each stage. Third-party risk governance frameworks are designed to ensure that all requisite perspectives and approvals have been obtained before an outsourced relationship may progress to the next stage in the life-cycle. Third-party risk governance frameworks also help ensure that an adviser’s organization is aware of various risks and performance metrics that a particular service provider may have. Potential governance considerations for each stage of the third-party risk management life-cycle can include:
TABLE 5: GOVERNANCE FRAMEWORK
Outsourcing Evaluation | → Area within adviser considering outsourcing a covered function (relationship owner) evaluates whether such function is appropriate to outsource → Determination to outsource covered function documented with rationale, including benefits and risks → Determination to outsource may be unilateral or rest in cross-functional governance group |
Service Provider Evaluation | → Relationship owner assembles prospective service providers to be considered → Other areas within adviser have ability to opt in or out for whether their functional expertise is needed to assess prospective service provider candidates (e.g. operations, compliance, legal, technology, finance, etc.) → Relationship owner and cross-functional stakeholders conduct due diligence |
Service Provider Recommendation | → Relationship owner makes recommendation to cross-functional governing body regarding recommended service provider (which includes justification for outsourcing the functional generally) → Cross-functional group may approve or deny for contracting → Risk-rating is assigned to selected service provider, which in part drives frequency and methodology for ongoing monitoring and oversight |
Contracting | → Legal works with service provider on contractual terms (substantive terms to be approved by relationship owner, interested stakeholders, and ultimately cross-functional governing body) → Terms of relationship documented by relationship owner to ensure adherence by service provider and adviser |
Model Office/Sandbox | → Prior to service provider “going live” with performance of function, service provider’s performance of the function has been validated in “model office”/“sandbox” environment → Cross-functional governing body sets criteria for sufficient “model office”/“sandbox” testing/validation |
Activation | → Service provider “going live” with performance of function occurs after cross-functional group within adviser approves based on satisfactory “model office”/”sandbox” results |
Monitoring | → Relationship owner and cross-functional stakeholders conduct ongoing oversight and monitoring → KPI’s, issues, and errors are documented, remediated, and reported to cross-functional governing body with set frequency |
Termination | → Relationship owner recommends termination of engagement – may be unilateral or rest in cross-functional governance group (service provider may themselves terminate as well) → Relationship owner facilitates offboarding of function, and if need be, onboarding of new service provider (subject to the third-party life cycle and governance framework) |
PARTING THOUGHTS
The exact nature of an adviser’s third-party risk management practices and program will and should depend on the nature, size, and complexity of the adviser’s business. There is no need to turn third-party risk management into more of a bureaucracy than needed. Any practices – be they due diligence methodologies or governance constructs – ultimately need to be designed to best facilitate the assessment of outsourced engagements to ensure the adviser’s clients are not harmed, and also that the adviser’s rendering of investment advisory services is optimized. In many respects, the proposed Outsourcing Rule commemorates considerations and general standards advisers were already incentivized to address. Whether that makes the Rule sensible or needless I suppose could be debated endlessly, but at least it has some semblance of feasibility.
Thanks for lending me your ears. Now, time to turn on some Joe Cocker, with a little help from a gin & tonic
BIBLIOGRAPHY
Audet, Chris et al., “Stay Ahead of Growing Third-Party Risk,” https://www.gartner.com/smarterwithgartner/a-better-way-to-manage-third-party-risk, August 16, 2019.
Federal Register Vol. 88, No.111, June 9, 2023.
Hicks, David et al., “Third-Party Risk Management Outlook 2022,”
https://kpmg.com/xx/en/home/insights/2022/01/third-party-risk-management-outlook-2022.html, January 2022.
IA Release No. IA-6176, October 26, 2022.
Itoh, Tasuku, “Conducting Effective Third-Party Risk Management,” Risk Management, April 2, 2024.
Mikkelsen, Daniel et al., “Improving Third-Party Risk Management: A Joint Study between ORIC International and McKinsey & Company,”
Moog, Matthew et al., “Global Financial Services Third-Party Risk Management Survey: Is It Time to Shift Your Perspective of Third-Party Risk?,” https://globaltaxnews.ey.com/news/2018-5743-global-financial-services-third-party-risk-management-survey-is-it-time-to-shift-your-perspective-of-third-party-risk, June 7, 2018.
“Outsourcing by Investment Advisers,”
Stephen, Lesley. “Deloitte’s 2023 Global Third-Party Risk Management Survey Shows Resiliency, Building Trust Top Piorities for Leaders,” https://www.deloitte.com/global/en/about/press-room/deloittes-2023-global-third-party-risk-management-survey-shows-resiliency.html, October 16, 2023.