Oct. 27, 2022
October 27, 2022
Response to Request for Comments on SEC Release No. IA-6176 File No. S7-25-22 \"Outsourcing by Investment Advisers\"
Thank you for this opportunity to respond to the SEC's proposed rule under the Investment Advisers Act of 1940 to prohibit RIAs from outsourcing certain services unless due diligence is performed. Today, it is more important than ever, that an agency with the credibility, expertise and skills such as the SEC, provide an additional layer of fact verification regarding claims that significantly impact the investing public. As a small broker-dealer/RIA, Intellivest's generally does not welcome more regulations. However, when it comes to due diligence, more is better. As more RIAs migrate to platforms advertised as \"white label\" platforms, it is vital that robust due diligence not be replaced by a check the box mentality. There is not currently a viable substitute for a person analyzing the facts and circumstances of a proposed relationship. There is no doubt that eventually the emerging blockchain ecosystem will be able to provide certain due diligence functions that are now
done manually such as authentication of facts dealing with identity, past performance, AML, suitability, etc. But until that happens, the SEC must remain vigilant that RIAs and other fiduciaries not outsource functions without doing due diligence just to lower the RIA's costs. I believe this thought is consistent with what SEC Chairman Gary Gensler said in the recent open meeting discussing the proposed rule.
This Comment will respond to the 101 numbered questions with each question being paraphrased.
#1. Scope of Rule. Although the SEC claims that less than 500 \"small\" RIAs are registered with SEC and 100% of them will be covered, the SEC overlooks the reality that state securities regulators will be influenced by the scope and coverage of this Rule and will regulate accordingly. It is not contradictory to say that the coverage, if anything, is not broad enough in light of the issues facing the investing public today, especially regarding cryptocurrency. However, the SEC should express some thinking regarding coordinating this ambitious initiative with state regulators, perhaps in coordination with
NASAA.
#2. Oversight of outsourced functions. This commentator feels strongly that it is not enough to allow an RIA to simply disclose they are outsourcing but not overseeing. RIAs must be responsible for the oversight responsibilities as proposed based on a \"reasonableness\" standard.
#3. Disclaiming liability. A fiduciary such as an RIA must not be able to disclaim any liability with respect to a covered function. A doctor cannot, a lawyer cannot, and an RIA should not.
#4. Clarity of definition of \"covered function.\" The two prong test of \"necessary\" services and if performed \"negligently
would be reasonably likely to cause a material negative impact\" will depend on the facts and circumstances of a case. By specifically excepting ministerial and administrative functions, the definition is made more clear. More examples of both what is covered and what is excepted would make the definition even more clear.
#5. What are \"core advisory services?\" This is a moving target and should not be too narrowly defined. For example, in advising clients regarding investing in securities that touch the cryptocurrency ecosystem issues will arise as to whether not only a particular cryptocurrency or token is appropriate for a particular client but also the type of exchange, wallet, and ledger hardware used by the client may fall within this definition.
#6. Should definition be fleshed out? Too ambitious of a regulation will destroy its usefulness. Example: FINRA Rules defining communications and sales literature. Comparing to BD oversight, the bedrock of BD regulation is a very broad Rule 2010 \"must adhere to high standards of commercial honor and just and equitable principles of trade\" and this rule seems to work fine. Keep the rule as simple and broad as possible otherwise RIA lawyers will use the complexity as leverage against its enforcement.
#7. Specific functions within the definition of functions. Many times an RIA will outsource the filing itself and the contents therein of the Form ADV to an outside attorney and when a mistake is discovered blame it on the attorney, herself a fiduciary. This problem should be specifically addressed. An RIA should not be able to escape responsibility for a covered function by relying on an outside provider such as an attorney or CPA. In addition, services that appear as ministerial may in fact turn out to cost a client her funds. The recent bankruptcies of certain cryptocurrency \"custodians\" illustrate the risk of choosing the \"wrong\" custodian or in not understanding who actually owns the assets subject to the rights of creditors.
#8. Explicit disclosure. The more specific and explicit the required disclosure, the better.
#9. Percentage test of impact of clients. No, it is not necessary to devise a numerical test of clients impacted. It is enough to leave it to the discretion of the regulator based on the facts and circumstances. Enforcement practice and other industry indicators will clarify the scope of the rule. Making the rule too explicit will cause the compliance costs to go up because lawyers will be able to \"chew\" on a complex definition and run up legal bills with costly memos of analysis.
#10. Treatment of data providers. Absolutely, data provided should be explicitly included because data is only as good as the integrity of the provider. People would be shocked to realize how much data is \"cooked.\"
#11. I do not understand this question.
#12. Exclusions. The less exclusions the better because of the inherent limits of words such as \"clerical\" or \"ministerial.\" Do not exclude any of the functions listed. Instead, let the regulations' power exist in the broad language requiring \"reasonableness\" and \"due diligence\".
#13. Definition of \"covered function.\" Again, both prongs of the test are solid and, if anything, should be made broader.
#14. Definition incorporating other laws. A broad reference to Federal Securities laws is better than specific references because an RIA lawyer will argue applicability issues based on the enabling language of the referenced law.
#15. \"Necessary\" too limiting? Yes, the language should be broader to include services that support the RIA. The rule should apply to all of the RIA's services including those required under statutes other than the Advisers Act such as the Federal securities laws, state laws, administrative rules and case law.
#16. Service provider definition clear? The rule correctly does not distinguish between a third-party provider and affiliated third-party provider and is, therefore, a workable definition.
#17. Definition of \"material\" and \"reasonably likely.\" These terms have been used since 1933 and have worked well. Occasionally, the SEC has provided guidelines for \"materiality\" such as the 5% of assets test. However, that should evolve.
#18. Service provider definition. Practitioners are familiar with the various definitions of \"affiliates,\" \"control persons,\" and \"related persons\" so the definition as proposed is fine.
#19. Service provider definition. No, it should be irrelevant whether the service provider is actually retained although this information would be relevant with respect to mitigation.
#20. Written agreement necessary? Yes, there should be a requirement for a written agreement but the contents of the agreement should be \"reasonable\" depending on the facts and circumstances of each situation.
#21. Scope of rule clear? No, examples need to be given to cover the issues of cryptocurrency and blockchain ecosystems. Until the issue of lack of transparency regarding who has access to cryptocurrency protocols for accountability, including Bitcoin, the current risks of RIA clients are high. Your definitional issue cannot be resolved satisfactorily until the uncertainty surrounding the regulation of cryptocurrency in relation to U.S. v. Howey is resolved.
#22. Exceptions to rules. The suggested exceptions to the rules are presumably based on the premise that the proposed exceptions have certain qualifications that justify the exceptions. This is a false premise. Just as the definition of accredited investor was based on the false notion that a high net worth individual has certain knowledge others do not have, it is wrong to assume that because an entity is a registered investment company there should be an exception. Broad is better, exceptions lessen the rule's effectiveness.
#23. This question is ambiguous as it does not make it clear if you are talking about a subadvisor as an RIA or a subadvisor as the service provider. In either case, the subadvisors in my opinion should be included.
#24. Exclusion of a supervised person. The exclusion of a supervised person as a provider is justified as duplicative. However, the rule should not also exclude an adviser's affiliated or related persons because this will make enforcement of the rule much more difficult.
#25. I do not understand this question.
#26. Exception for firms that are dually registered BD. Yes, there should be an exception for firms that are dually registered BDs. BDs are subject to vastly more oversight and regulation than RIAs and this should be recognized. Yes, if the outsourcing is to someone who is strictly regulated by another credible regulator, then there should be an exception. There is precedent for this exclusion in the exceptions for registration of securities and transactions in the 1933 Act.
#27. Is the rule necessary? Absolutely, 100%. This commentator can provides several anecdotal examples of unbelievable denials of responsibility by RIAs. This is caused by aggressive attorneys who push the boundaries of what it means to zealously represent a client. In the past four weeks alone, this commentator has seen examples of RIAs disavowing responsibility for admittedly material errors in Form ADV filings but whose lawyers argue that it was \"the outside lawyer's fault\" or \"it was the fault of a newly hired compliance office.\" In addition, this commentator has seen first hand how RIAs will manipulate the content of a Form ADV in order to provide credibility to the RIA based on the strong reputation of the service provider mentioned, even when the service provider was not even aware it was listed on the Form ADV and was not providing services. The SEC has brought actions relating to this type of issue such as SEC v. Goldsky Asset Management, LLC and Kenneth Grac
e, U.S. Dist. Ct., S.D.N.Y. 18 Civ. 8870, Sept. 27, 2018 (involving representations about an outside auditor, asset custodian, fund administrator and prime banker) and In the Matter of The Robare Group Ltd, et al, Admin. Proc. File No. 3-16047, Rel. No. 4566, Nov. 7, 2016 (involving the role of the custodian of their assets as stated in the Form ADV). The current complexity of the Form ADV itself as well as the forms within the form discussing affiliated funds provides coverage for RIA compliance officers who are left to shoulder the blame. This rule will go a long way to solving this serious problem and is long overdue. Obviously the current laws and regulations, including Section 206, are not enough to fight the serious threat to the capital markets identified by the staff in proposing this needed rule.
#28. Timing of updates. At first, the burden of updating should be no more frequently than quarterly and could be changed based on experience.
#29. List of functions? No, it will be easier to enforce the rule, the less complex and burdensome it is. Of course, compliance should be included in the written policies and procedures of the RIA but too much detail should not be required.
#30. List of factors? No, a list of factors should not be required. Seasoned practitioners generally will not list all the steps taken in a due diligence review because they are aware of the
cases where a competent, diligent, compliant compliance officer or attorney will put in a discoverable file a list of, say, 50 due diligent items performed only to be bullied on the witness stand with questions like, \"You did 50 items but you did not do ________, did you?\" A prudent practitioner will put a memo to the file that draws the conclusion that proper due diligence has been performed, where this is consistent with the law. As a practical matter, asking the RIA to provide lists may be counterproductive.
#31. Due diligence requirements. The SEC should produce a guide similar to FINRA Regulatory Notice 10-22 \"Obligations of Broker-Dealers to Conduct Reasonable Investigations in Reg. D. Offerings.\" In addition, due diligence requirements should be specific to the evolving cryptocurrency and blockchain ecosystems as noted above.
#32. Third party experts? My concern with this suggestion is that it dilutes the fiduciary requirement that pertains in its absence. In other words, it is quite enough that the RIA ensures in its due diligence that the service provider has the expertise needed or will get it. If the service provider does not have this expertise when retained or ready access to it, then it should have not been retained in the first place. How the service provider meets the required standard of care is up to it. You are opening the door to a mirror facing a mirror situation because where do you stop? Does the expert's expert have to hire an expert?
#33. Policies and procedures. The \"reasonably designed\" standard in Rule 38a-1 and Rule 206(4)-7 should be sufficient. However, of course the policies and procedures should reference the RIA's duty to follow the Rule, who within the RIA is responsible for supervising compliance and the other representations normally found with respect to such rules.
#34. Exceptions to due diligence requirements? No.
#35. Exceptions for smaller RIAs? No, if anything they should be specifically included because if anyone needs third party providers, it is the smaller RIA.
#36. Exceptions for emergencies? Yes, there could be several common sense exceptions where it is vitally important to make an exception. In that case, the RIA could have a notice requirement and a documentation requirement.
#37. Due Diligence requirements? Yes, where the going concern of a third party provider is important, the RIA should, for example, confirm that the provider has enough cash to sustain itself for a period of time, say, a year from retention. Regarding cryptocurrency, as noted above, there seems to be a consensus that these protocols are somehow self-perpetuating with little or no human intervention, which is nonsense. Due diligence requirements must address the viability of custodian of all assets in all asset classes especially in regard to worst case scenarios of bankruptcy, insolvency and liquidation. The easiest way to do this is for the due diligence practitioner to demand transparency.
#38. Clarity of \"nature and scope.\" Examples would help both in terms of inclusion and exceptions.
#39. Prioritize risks? Practitioners will develop an equilibrium as has been done with risk factors in 10-Ks and registration statements around increasingly narrow subsets from general risks to industry risks to company risks, etc. Prioritization unduly burdens the RIA without corresponding benefit in my view.
#40. Materiality threshold? Not necessary. If the third party provider is needed that fact alone means it is a material decision.
#41. Some outsourcing not allowed? At some point a car is not a car if no engine, so by the same token an RIA should not be able to outsource every function and still call itself an RIA. This is hard to define but the SEC will know it when it sees it (with apologies to Justice Potter). If a risk factor is material then it should be disclosed.
#42. Determinations re: provider's competence. This begs the question because an RIA does due diligence to ensure the provider is competent. Whatever is necessary from a reasonableness standard should be the rule. By definition, an RIA is doing due diligence in order to make a \"reasonable assessment\" so I may be missing the point of this question.
#43. Due diligence records. For practical reasons already stated, I would advocate for the keeper of the due diligence records to be able to certify that she did all that was required to do and leave it at that.
#44. Subcontracting. This issue opens the door to issues involving mentoring, affirmative action, co-partnering, etc. so caution is advised. For example, some providers may need to partner with more established entities in order to gain experience. As noted above, if too much is outsourced by the provider than in reality the provider is not a provider at all but is instead an agent for the purpose of procuring third party services. Where that line is, it is hard to say. Probably better to kick that can down the road and deal with the problem if and when it happens.
#45. Exemption to subcontracting? See answer to #44.
#46. Requiring assurances. It should be sufficient that the RIA undertakes reasonable due diligence to ensure that the provider is able and willing to provide the desired services. How it does that is part of the information obtained by the RIA in its due diligence. If too much is being outsourced by the provider then that would raise a due diligence red flag necessitating further inquiry by the RIA. This process, if done, correctly should not require additional rules regarding the provider's outsourcing of its functions.
#47. \"Reasonable assurances.\" The word orderly is commonly understood and, in conjunction with the reasonableness standard should not require additional definitions.
#48. Abrupt termination. An RIA should never be in the position of not being able to immediately terminate a provider. The legal exposure of anyone impeding the RIA from doing so would be high in my view.
#49. Record retention. Five years retention is better than three because civil rights will be impacted by this rule and many statutes of limitation extend past three years.
#50. Monitoring requirements as proposed should be adopted.
#51. Frequency of monitoring. As noted above, quarterly is a good compromise and monthly would be too burdensome.
#52. Documentation of monitoring. As noted above, a memo to the file that the responsible supervisor monitored and was satisfied that the provider can continue.
#53. Exceptions to monitoring. No exceptions, especially for smaller RIAs. Enhanced monitoring may be required analogizing to BDs who have to provide extra supervision to \"rogue\" brokers.
#54. How monitoring is done? With the world moving towards remote activity, on-site visits may not be needed but experience will resolve this question.
#55. Proposed monitoring expanded? Yes, in the newly evolving ecosystems of cryptocurrency and securities touching upon the blockchain, more specific examples of monitoring of exchanges, trading platforms, wallets, and mining operations must be given to RIAs as well as guidance in how to perform due diligence.
#56. Scope of requirements. There should be a broader Form ADV reporting requirement rather than limiting it to RIAs that are subject to Rule 206(4)-11 because in this commentator's view of how casually RIAs seem to take their obligations under current Form ADV.
#57. Covered functions. This commentator has never understood how BDs and RIAs have been allowed to \"rent a compliance officer\" to the extent allowed. Some compliance officers serve dozens of registrants. This erodes confidence in the capital markets, especially because so many compliance officers come from the ranks of the regulators. Additional categories should be added to directly include the ecosystems of cryptocurrency and blockchain technology as noted above.
#58. Separate treatment of books and records providers. To the extent that the Rule 204-2 books and records relate to the particular needs involving cryptocurrency and blockchain securities, then these functions should be clearly set forth.
#59. Public disclosure. This commentator knows of a particular service provider who is excellent in what he does but due to bad publicity from years earlier may find some are reluctant to hire him for fear of criticism. So there may be some occasions where the public disclosure is outweighed by specific facts but if that is a wide spread enough problem, waivers could be implemented.
#60. Cross-reference? Yes, cross reference within the same document is advisable but not to other documents.
#61. Cross-reference? See above.
#62. Additional information? Information regarding the actual use of the provider should be disclosed. For example, some RIAs will hold out to the public that they retain prestigious lawyers but in reality actually hardly ever call the lawyer because they know even a short conversation will result in a hefty bill. So the rules should pick up the situation where an RIA will list a BD as placement agent, for example, with a clean, no disclosable events on its Broker-check report, and yet there is no real substantive relationship to speak of. This, arguably, is a fraudulent and deceptive contrivance and is already illegal but perhaps this abuse could be addressed in the rule.
#63. Burdensome to maintain info. Knowing your provider should be no more burdensome than knowing your customer and is just as important, so I would not expect the rule to be too burdensome to any RIA.
#64. Different disclosures to private funds. No, the proposed disclosures should be sufficient in all cases.
#65. Narrative? Yes, narrative disclosures are always better than check the box disclosures. The narrative could be a summary that cross references pertinent information within the ADV.
#66. Flexibility? So long as the provider is reasonably competent to provide the needed services, the rules are not limiting. If anything, expanding technology provides more justification for RIAs to retain third parties, which the rules allow so long as proper due diligence and the other requirements are complied with.
#67. Coverage of rules. Yes, the rules are not that burdensome so rule 204-2(1) should apply to all records that are outsourced.
#68. No response.
#69. Due diligence and monitoring. Yes, due diligence and monitoring requirements should apply to all outsourced recordkeeping functions because of the importance of recordkeeping in protecting the rights of the investing public.
#70. Due diligence requirements. The standard of due diligence should not be allowed to accept the prevailing norms if such norms have not been validated notwithstanding that popular opinion assumes such validation. For example, misunderstanding about the nature of cryptocurrency and the related software protocols should not be the starting point of an RIA's due diligence. In advising a client about investing in a security that is a cryptocurrency, the risks of investing in an asset where there is a lack of transparency and accountability should be required as part of the RIA's due diligence. The myth that the blockchain cannot be hacked is another premise that should not be glossed over by an RIA in its due diligence. I do not think that the words \"cryptocurrency\" or \"blockchain\" were used even once in the Release of the Proposed Rule and that is a concern.
#71. Asked and answered.
#72. I am not sure I understand this question.
#73. Clear? Yes, proposed Rule 204-2(1) is clear.
#74. Exclusions. Broker-dealer archiving should be better regulated for a variety of reasons beyond the scope of this response. Archivists of emails should be subject to more stringent requirements because their role is more substantive in my view.
#75. Service provider agreements. Investment Advisory contracts seems to have a life of their own that are engineered, unfortunately, by wordsmiths who get paid by the word. Unless there are rules such as the ones proposed, the contracts get fatter and fatter and less and less useful. For example, indemnification provisions can go on for pages, needlessly so in my view. The proposed rule is necessary.
#76. Written agreement. For reasons stated above, a written agreement should be mandated. For example, BDs are required to have written agreements between themselves and their controlling persons in some cases. It is needed to protect the investing public to require the agreement as mandated by the new rules.
#77. 4 standards ok? No, I do not understand the meaning of the word \"easily\" in the third standard. Also, a bigger problem is the fourth standard that requires continued availability of records after a relationship is terminated. This is an example of where verbiage in a contract may be mandated because this contemplates two parties, possibly now adverse to each other, still working together. This makes the fourth standard significantly different from the other three and a different approach should be taken.
#78. Appropriate to require standards for providers. The marketplace will determine whether the providers will find the standards too onerous. Comparing to the PCAOB standards, those standards drove a lot of CPAs not only out of the BD audit business but in at least one case known to this commentator to a nervous breakdown and retirement from the industry. These standards seem reasonable.
#79. Asked and answered.
#80. Easy access to electronic records. As noted above, the word \"easily\" should be defined in terms of cost and time involved in obtaining the records.
#81. Records after relationship ends. As noted above, this standard requires more work because of the possibility of a breakdown in the relationship between the RIA and provider including the possibility of litigation between the two.
#82. All third party record keepers covered? No, possibly custodians or cryptocurrency and holders of wallets may not be covered under this rule and they should be, specifically.
#83. Ten months transition. This seems reasonable for all RIAs.
#84. Grandfather provisions. I cannot think of a reason for any grandfather provision.
#85. Different transition periods. No, I can think of no justification for different transition periods as posed in this question.
#86. Short term exceptions. Yes, just as there should be exceptions for emergency termination of a provider, the short term nature of these engagements without compliance with the proposed rules does not appear to pose a risk to the investing public.
#87. Risks not identified. Yes, the risks of outsourcing securities investment advisory advice to third party providers engaged in the ecosystems of cryptocurrency and blockchain poses a significant risk to the investing public. The starting point of any analysis should be the seminal White Paper entitled \"Bitcoin: A Peer-to-Peer Electronic Cash System\" by Satoshi Nakamoto apparently published in 2008 wherein the risks of hacking or what he calls \"double spending\" is clearly set forth. This risk is not widely understood by the investing public and the proposed rules should show an understanding of this risk so that the investing public becomes aware of it and invests accordingly. This risk ripples to the entire cryptocurrency ecosystem and a collapse in the values of certain cryptocurrency could have a domino effect as we have recently seen. The rules do not seem to address this modern risk must less regulate around it.
#88. Agent and moral hazard problems. The Release understates these risks including, as noted immediately above, with respect to risks associated with cryptocurrency and blockchain technologies.
#89. Current processes in place. In my view, the complexity of the current Form ADV significantly impairs its usefulness. Regulating the outsourcing to third parties is a step in the right direction. RIAs may have the processes in place but in name only.
#90. See #89 above.
#91. See #89 above.
#92. See #89 above.
#93. Termination. As noted above, the mandating of continued collaboration between parties where the relationship has been terminated poses significant challenges that in my view need to be separately addressed in a context different from the instant one that contemplates a friendly, cooperative mutually profitable relationship.
#94. Current monitoring. Obviously the current regime relying on the fiduciary obligations of an RIA to \"do the right thing\" by its clients is not enough. Therefore, the proposed rules are justified and long overdue.
#95. New requirements. Perhaps stricter enforcement of the old ones would have made the new ones unnecessary but clearly the new rules are needed.
#96. Costs of compliance. As noted above, the SEC should realize that due to the increasing costs of competent securities counsel, now approaching $1,000 per hour in some big city markets, the result is that RIAs are actually obtaining less legal advice while at the same time there is increasing complexity. This complexity is enhanced by the evolution of cryptocurrency and blockchain investing. A perfect storm is brewing and more and more RIAs are operating without competent counsel for the simple reason they think it is obscene to pay thousands of dollars for an attorney to simply acquaint herself with the facts before rendering any advice. This threat to the investing public cannot be understated.
#97. Anticipated costs. These proposed rules should actually lower the costs to RIAs because they will result in uniformity among RIAs and cause the marketplace of service providers to react in a way that will ultimately benefit the investing public.
#98. Shared costs. The RIAs will pass the cost on to the public. An investor who pays the same 2% to an RIA who buys and holds as she pays to an RIA who is actively trading assets under management makes no sense to this commentator. Yet, the investing public tolerates this proving that they need the protection of the type mandated by these rules.
#99. Impact. These rules will result in improved efficiency, competition, and capital formation in the industry because it will cut down on the widespread abuses by RIAs currently occurring. In addition, if the rules are revised to address the existing threats posed by the inevitable increasing popularity of cryptocurrency and blockchain securities investing, then a major threat to the capital markets will be avoided.
#100. Correct balance? Yes, the proposed rules strike the right balances except with respect to their failures to specifically address cryptocurrency and blockchain securities investing.
#101. Alternatives. Not alternatives, but there should be additional options as discussed above in #100.
Respectfully submitted this 27th day of October, 2022, by:
Daniel H. Kolber,
CEO of Intellivest Securities, Inc.
Series 24, 27, 4, 54, 87, 65
Member NY, GA, FL, VA Bars