Nov. 23, 2022
November 21, 2022
Vanessa A. Countryman, Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
RE: Proposed Rule on “Outsourcing by Investment Advisers” (Release Nos. IA-6176; File No. S7-25-22)
Ms. Countryman:
I am responding to the request of the Securities and Exchange Commission (the “Commission”) for comments to the proposed new rule on Outsourcing by Investment Advisers (the “Proposed Rule” or “Proposal”).
I am an attorney and compliance officer with over 20 years experience working at both large and small SEC-regulated entities. I currently work at a smaller private fund manager. This experience working to implement SEC rules informs my comments below. I note that while SEC rules generally have good goals and motivations, how rules are implemented and their effects often vary from how the Staff envisions that they will be implemented.[1] These comments represent my own views and not those of my employer. For this reason I am submitting these comments in an anonymous fashion.[2]
I recognize the time and effort invested by the Commission and the Staff of the Division of Investment Management (the “Staff”) in formulating the Proposed Rule and DERA for the time spent on the economic analysis and appreciate the opportunity to comment. I understand that the Staff has been run ragged with all of the initiatives coming from the Chair’s office. I think about this great paper tsunami of regulation coming out of the SEC while I read the Proposed Rule and also read in the newspapers about the multi-billion dollar fraud conducted by the FTX exchange, Alameda Research, FTT tokens (most likely securities under Howey), allegations of market manipulation of the price of FTT by a competitor and Alameda and perhaps MNPI violations and allegations of market manipulation of the price of BNB tokens (most likely a security under Howey). I think that investors may be better protected and the other prongs of the Commission’s three prong mission may be better served if the SEC was more focused on real and immediate problems like the need to drain the crypto-swamp.
As Commissioners Uyeda and Peirce point out in their comments, there is no showing in the rule discussion or in the economic analysis that there is a problem being solved for or there is a need for additional regulation and its significant implementation costs. Certainly there could be material problems for firms if their service providers failed to perform their services properly, but it seems, based on the lack of evidence otherwise, that the industry has adequate practices and policies in place to ensure that these occurrences are extremely rare.[3]
Conclusions and Standards for New Regulation
After reviewing the rule, I conclude that there is no justification for it:
1. There is no showing that there has actually been any material harm in this area that needs to be solved for. Any harms being solved for are hypothetical and conjectured.
2. In my experience, outsourcing has in fact not materially increased or is increasing recently that would create an additional need for the rule.
3. The huge dollar cost of implementing the rule outweighs any harm being solved for; it clearly fails any cost-benefit analysis.
4. There is no showing that the due diligence by RIAs would be effective in preventing any of the conjectured harms hypothesized.
5. Publicly disclosing service providers of an RIA (as opposed to privately distributing a list to investors and the SEC) provides a nice roadmap for hackers in deciding which service providers are the best to target.
6. There are alternatives to these rules that could achieve the same or better results with a much reduced burden.
7. Increased costs due to this and other regulations will have a disproportionate cost on small firms that do not have a large asset base to spread the costs of the regulation.[4]
8. Additionally, it will make it difficult to launch new firms which, of course, is a benefit for established firms like mine, but as woman and people of color are increasingly responsible for new RIA launches, the regulation will have a discriminatory effect and increase institutional racism.
When the SEC thinks about finalizing or withdrawing this rule and whenever it thinks about new initiatives, it should focus on several things – is the rule solving for an actual harm, does the rule cost more to implement then the actual harm it is meant to solver for, will the rule solve for the harm, and are there cheaper alternatives to achieve materially similar results.
If the SEC wants to implement these proposals, than there should be a quid pro quo, if the RIA performs reasonable and market standard due diligence then it should not be liable if a service provider has a problem. The rule should provide a safe harbor if complied with.
More Detail
1. The Discussion in the Proposal sights only two examples by name of service provider failures causing harm to investors.[5] In the case of service provider BNY Mellon, their software provider, Sunguard, had a problem when implementing a software update. This issue resulted in a widespread problem of mutual funds not being able to calculate daily NAV but a fine of only $3.5 million dollars which implies that there was not a large harm to investors.[6] What is not mentioned in relation to this example is that many of the very sophisticated RIAs which hired BNY Mellon did due diligence on BNY Mellon. There is no showing or even conjecture that these new rules would have prevented the example of harm given. The matter of Aegon resulted in fines of $96 million but the events stopped occurring in 2015, involved infractions and malfeasance beyond just errors in how investment models were developed and run and the harm to investors was not quantified. Again there is no showing that the sophisticated client of this service provider did not perform due diligence (given its level of sophistication, it probably did perform sue diligence) or that this rule would have prevented the harm. As only two examples are cited, it seems that historically the SEC has not found much harm to investors as a result of the service providers to RIAs. The SEC seems to have come up with a multi-billion dollar solution to a problem that they cannot even show exists.[7]
2. Outsourcing has been an integral part of the investment world for decades and is not materially increasing and, again, there is no showing that problems have been anything but extremely rare. Therefore, the SEC should answer the question as to why this regulation is necessary now and how is it actually going to protect investors in a real way as opposed to providing some theoretical and marginal benefit.
Additionally, smaller firms tend to outsource more of their functions than larger firms. Large firms have the luxury of economies of scale making it more efficient for them to insource functions. As a result, these rules will have a disproportionately adverse effect on smaller firms in two ways – they do not have the assets to spread the costs of this rule and they outsource a larger portion of their functions. DERA confirms this point. I note that Chair Gensler’s perspective on this rule may be colored by the time he spent working at a large bulge-bracket Broker-Dealer. These types of firms are more able to afford to deal with new rules than smaller firms.
3. The two examples of harm are a pretty slim basis for justifying this new rule which has an estimated cost of $2 billion to initially implement and then $650 million dollars a year to maintain.[8] This money eventually comes out of the investor’s pockets.
4. As mentioned above, BNY Mellon was well due diligenced by its bulge bracket, very sophisticated clients but that did not prevent the incident cited. Most likely, AEGON was due diligence by Transamerica. The SEC should examine the due diligence done on these firms and explain why it was not adequate and why this new rule would have prevented these issues.
There is no evidence cited that due diligence by RIAs would be effective in preventing any of the conjectured harms hypothesized. The Proposal refers to it covering 15,169 RIAs. Probably under 250 (less than 2%) of these are actually adequately staffed and experienced to undertake effective due diligence effective.[9] How many of these firms have more than a few hundred employees, implying some level of sophistication in diverse issues? In fact, and as the Proposal mentions, these firms do not have experience in the diverse areas it takes to run an RIA and therefore outsource many activities. They outsource activities that they do not have indepth skill and resources for. This implies that for the key activities of their service providers, most RIAs are not able to effectively due diligence the core businesses of their service providers. And, most likely, are not able to fully understand issues like cybersecurity, business continuity and other issues mentioned as they apply to service providers.
As a result of this lack of knowledge, much of the due diligence called for and much of the due diligence already performed is in the nature of “papering files”. How many firms have the knowledge or time to understand service providers’ SOC IIs or business continuity and disaster recovery plans that are often hundreds of pages long? Additionally, certain more security conscious firms only give out summaries of these documents per internal security policies. How will this rule interact with these security policies. Will reviewing summaries be sufficient?
5. There are zero reasons provided as too why RIAs should publicly disclose their service providers[10]. Most private funds managers, which amount to 5,378,[11] already disclose their major service providers in their DDQs and marketing presentations which are private documents provided to clients. RIAs could be required to privately provide the information to their current investors annually and to new investors prior to investment. If the SEC needs this information, it could be provided privately like with Form PF or 13H. The only reason that comes to mind as to why some would think the information should be public are so that ESG activists can pressure service providers to fire funds if they do not approve of the actions of a fund. This seems to be the reason for some of the new proposed rules related to proxy voting. This runs contra to the three prongs of the SEC’s mission of fostering efficient markets, protecting investors and capital formation.
A potential negative of requiring the public disclosure of such information, is that it would be very informative for hackers in relation to choosing which service providers would be the most profitable to hack and also which service providers to focus on if they want to target particular RIAs. It would seem foolish to providing new vectors of attack for hackers, thereby increasing systematic market risks and insider trading and running contrary to the stated goals of the Proposal.[12]
Although I think more publicly available information is a good thing, perhaps RIAs should be permitted to charge a fee for information on its service providers (and proxy voting data)? Other service providers would find the information valuable as leads to solicit additional clients. The SEC permits the SROs to sell for billions of dollars data on the trading of their customers. Perhaps before making RIAs provide free information on its service providers, the SEC should consider forcing SROs to freely distribute their trading data and the SIP information.[13]
6. There are many and better alternatives to most or all of the aspects of the Proposal. These alternatives are not considered by DERA in its economic analysis though they do consider certain alternatives.[14]
The best alternative is not to adopt the rule. The current system seems to be working well and there is no evidence to the contrary. Many RIAs have vendor due diligence programs and the level of due diligence performed currently is adequate.
Are there more efficient options than having 15,000 firms performing due diligence on their service providers? There is a lot of overlap of service providers with many having hundreds of RIA clients and in some cases perhaps even a thousand or more. Does it make sense to require hundreds of RIAs to perform duplicative due diligence, much of it superficial, on the same firms? There are only a few large Prime Brokers. Should thousands of fund managers perform due diligence on JPMorgan? Is this an efficient use of their resources? Also, if any of them found something in a SOC II or business continuity plan that was problematic, unless it was a clear error, they would have zero market power to have JPMorgan change its practices.
It would be more efficient and provide a better result if these service providers were specifically permitted by the SEC to hire an outside expert firm to perform due diligence on the service provider and then provide the report to all of their clients. If the SEC is provided lists of all service providers used by RIAs, it could, alternatively, inform RIAs as to the overlap they have with various service providers to band together and hire a due diligence firm to diligence the service provider.[15]
Another alternative would be to just require the largest RIAs (or the largest of each type of RIA – private equity manager, hedge fund manager, RIC manager, etc. (over $20 billion in AUM (as opposed to RAUM))) to perform this due diligence. This requirement would cover the great bulk of service providers. These larger firms would most likely have more expertise in performing the due diligence and it would prevent the wasting of resources of thousands of firms reading the same documents.
In many examinations performed by SEC Examinations, RIAs are asked to provide information on service providers, due diligence performed on service providers (vendors) as well as detailed expense information which would detail all service providers paid by the clients and RIA. It does not seem like any of this information was referenced in drafting the Proposal. The SEC should have pretty good data on the use of service providers, who they are, how many are used per RIA, the overlap and which service providers are the most popular, the cost and the level of due diligence.
The SEC, in its reply to this letter, should detail its use of this data and how it supports the Proposal. If the SEC has not utilized this data then it should do so and report on it before finalizing the rule.
Before the SEC asks for data, as it has been doing in many of its recent proposals (PF, proxy voting, ESG), it should have to evaluate and publish the results of the evaluation:
The cost of providing the information
The dollar benefit to the market and the mission of the SEC
Whether the SEC has resources in place to quickly and effective use the data
Whether the SEC has the authority to use the data in the manner it details
Whether there are alternatives that could provide materially similar data at a lower cost.
In this case, the proposal mentioned that if the SEC was investigating a service provider, they could quickly determine what other RIAs are using the service provider. A much cheaper alternative is to ask the service provider for a list of its clients.
Service providers[16] which are RIAs or regulated broker-dealers should be excluded from the need for due diligence. What is the point of SEC regulation if clients of SEC regulated entities can not actually rely on the regulation and need to perform their own due diligence on companies to ensure they are complying with regulations such as by having an adequate business continuity plan. What is the point of Examinations, if clients are told by the SEC that they have to perform their own “examination.”
To the extent service providers are not regulated, they would be very reluctant to contractually agree to ensure a client complies with federal securities laws. They do not know what these requirements are and would need to retain outside counsel to help them to understand the requirements. This would raise the cost of their service and help to prevent new service providers to enter the area and lock in the current providers and perhaps cause them to consolidate. The DERA analysis does not consider the increased cost of provided services resulting from requiring service providers to do more work and renegotiate contracts, especially mid-contract, as proposed.
Another possible alternative is to initially roll the rule out to very large firms and later (if at all) roll it out to smaller firms permitting the smaller firms to not perform due diligence on service providers that the larger firms are already performing due diligence on and only rolling it out to smaller firms if the rule has proven effective.
Whereas the most important service provided by RIAs is investment advice, perhaps standards for due diligence could be adopted just for services forming part of providing this advice like sub advisors and investment model providers. The SEC should consider limiting the rule to just those service providers.
7. There is a great diversity in the level of staffing, assets under management and investing activity of RIAs. The SEC does not seem to take this into account when making blanket rules covering all 15,000 RIAs. As noted, the cost of the Proposal per dollar under management would be greater for smaller firms thus hurting smaller firms. This is a justification for requiring only firms with large AUMs to comply.[17]
I find it interesting that in this Proposal, and many others, the SEC and Chair like to emphasize the importance of their work by citing that RIAs have $128 trillion under management which has increased from 47 trillion ten years ago. But what the SEC fails to mention (presumably purposely) is that this number is a leveraged number including leverage the RIA uses (which can be 10x or more, in certain cases). The amount of assets under management may be half of the amount cited and much of the growth may just be as a result of leverage.[18] Additionally, this number often includes double and even triple counting of assets in relation to, for example, a fund of funds manager, investing in an ETF and the ETF having a subadvisor. The SEC wants a list of all service providers used by an RIA but does not actually know the amount of client assets the firm has under management.[19]
8. This and the various other new regulations that the SEC has been passing and proposing in record fashion have a real world cost especially to small firms and new firms.
Firms will need a larger amount of assets as well as liquid RIA resources to launch in order to support the increased costs of operating. As a result, less firms will be able to start and some current firms may merge. The effect will be less choice for investors and less innovation as well as less firms able to service smaller investors.
Additionally, diversity will be negatively impacted. The effect of increased regulations and the costs incumbent thereto is to cause the industry to become more. See for example the decrease in the number of broker-dealers and public companies in the last few decades. In the top rungs of RIAs, African-Americans, woman and other minorities are underrepresented in management and ownership.[20]
One way to increase diversity is for these underrepresented groups to start their own firms, which has been happening in increasing numbers. Due to demographics and minority age distributions, among other reasons, minorities have a higher representation in the senior management and ownership of smaller, newer firms. DERA should be required to analyze the effects on diversity and equity of this and other new SEC proposals. Increased regulation sucha as these may unintentionally have a racist effect.
The more the SEC raises the cost of being an RIA, the less new entries into the field there will be and the more consolidation and less competition and diversity of ideas. Having less regulated entities does make it easier to regulate (as with the SROs) and it also makes it easier for politicians to target favorable legislation and raise campaign contributions. But centralization also helps to increase systemic risk since it reduces the points of failure necessary to cause system disruptions. Perhaps DERA should explicitly analyze the systemic risks introduced with centralization in its economic analysis.
Summary
The SEC does not demonstrate that there is a need for this very costly proposal with actual examples of harms that would have been prevented but only based on economic theory. Theory is nice but the proof is in the pudding. There is no showing that current due diligence levels are inadequate or that these new requirements will be effective. There are better, cheaper alternatives.
The Proposal includes 85 multipart questions. These questions should be answered and a new proposed rule made before the rule is finalized. Asking 85 questions creates the impression that the Proposal is very tentative and open to change, thereby, perhaps, reducing comments.
Other Comments.
Above, I have, in certain cases (but not all), inserted endnotes indicating which of the SEC questions my comments are applicable to, many questions I answer are not referred to explicitly. There are many questions asked, many of which are overlapping. Below are some additional specific comments on questions asked. If I do not answer a question, do not consider it agreement. There is only so much time that can be spent on this.
Q3 – RIAs are responsible for the selection of service providers as fiduciaries.
Q10- Data providers should be excluded, most due diligence would be ineffective.
Q17 – Material negative impact should be explicitly and quantitatively defined. In relation to accounting for public companies, material often means five percent.
Q21 – The proposal does not detail if service providers hired for private funds are included as they are ‘clients’. Presumably they are indented to be included but this is not clear due to the broad sweep of the proposal.
Q32 – How would the RIA do due diligence on the expert? As discussed, perhaps affirmatively permit third party due diligence and help to make to process efficient.
Q 34 – Any entity regulated by the SEC or the U.S. bank regulators should be excluded. To not do this calls into question the efficacy of SEC regulation and whether they have positive effects. In certain cases, the Proposal may require due diligence of FINRA (maintaining ADV filing system), CFTC (exemptions filings), EDGAR (various form filings), SIPS and DTC (clearing for brokers).
Q36 – There should be an exception for emergencies – if there is an issue with a service provider and it is necessary to replace a service provider quickly, there might be no time to do due diligence on a new provider prior to beginning to work.
Q45, 46 – Most service providers will be unwilling to provide this type of assurance since they are not familiar with it.
Q47 – Hard to assure an orderly transition if there is a fee dispute and the service provider is not being paid or in the case of insolvency of a service provider.
Q47 - There is no showing that these types of transition issues have ever caused harm to investors. The industry (and investors) should not be forced to incur real world expenses in an attempt to prevent a hypothetical harm which, if did occur, would not be material to the investment industry (as opposed to, perhaps, one or more firms).
Q53- Discussed above – RIAs with less than $50 billion in assets could be excluded and 95% of service providers would still be covered by the larger RIAs.
Q57 – The definition is not clear and could snowball to DTC and other clearing houses. Texts may be archived through a cellular carrier – especially after the recent fines – are cellular carriers covered? There is then generally a service provider that gathers the texts from the cellular carrier and sends them to the archiving firm. Covered? In an exam sweep the SEC can go to different types of RIAs and ask for a list of every service provider, cost, whether related, function and then use this information to get a better understanding of this issue.
Q59 - A better question is what is one reason to provide this information publicly if it can be done privately to investors and regulators? The text prior to this series of questions focuses in part on allowing the SEC to discover conflicts. This is probably mainly, if at all, in the case of private equity advisors, a small subset of advisors, and does not justify creating rules for 15,000 advisors.
Q66- Does the SEC really think that requiring thousands of RIAs to perform due diligence on Amazon Web Services passes any sort of cost benefit analysis?
Q67-82 – All of the examples of actual problems cited like not being able to read records would all be violations under current rules and are very rare. There is no showing that this rule would be more effective than the current rules. No matter how many rules you pass, there will always be a small handful of RIAs that are not diligent in their compliance or who simply make a mistake. Passing layer upon layer of new rules will not do anything about this thin tail while imposing billions of dollars in costs on the RIAs which are doing a good job.
Q83-85 – Implementation/Adoption. I strongly advise against adoption of the rule. It is completely not justified on a cost/benefit analysis or any analysis. If it is adopted, it should be required to be implemented in the least expensive way possible. Any required changes to existing contracts should only need to be adopted when the contract is renewed, not mid-term. RIAs should have at least 18 months after adoption to perform due diligence on existing providers and implement the other requirements of the rules.
Thank you for the opportunity to comment.
Concerned With Compliance
[1] I note that, in my experience, very few Staff members actually worked in regulated entities in contrast to the many who worked in law firms servicing regulating entities. Outside counsel do not directly implement rules and often seem to not fully understand how this is done and the various non legal considerations within regulated entities. Additionally, outside counsel has a conflict of interest in relation to increased regulation in that they benefit from more regulation and more complicated regulations since it provides work whereas inhouse counsel and compliance personnel have more work to do as a result of new rules. Most comment letters you receive are often drafted by outside counsel. Most trade organizations which comment on regulation are dominated by the larger firms among their stakeholders. You normally to not receive indepth comments from smaller firms since they do not have the time or resources to comment on proposed regulations and want to stay off the regulator’s radar screen. These regulations will affect many non regulated service providers who do not follow SEC regulation. Have they been reached out to for comment?
[2] Standard practice would require me to have this letter viewed by outside counsel which would cost in the area of a few thousand dollars. As an FYI for DERA and others, respected NYC private fund law firms generally charge more than $500 an hour for first year associates, $1000+ an hour for very junior partners and of counsel and close to $2000 per hour for senior partners.
[3] This replies to Question 1 (Q1).
[4] In the RFA section of the proposal, RIAs with under 25 million dollars are looked at. This is a ridiculously low number and would not even allow such a manager to become an RIA today. By small advisors, you should be looking at funds that manage $5-10 billion or less. These are small RIAs today.
[5] See Proposal footnotes 16-18 and accompanying text and page 110. There is a third example that just deals with record keeping issues.
[6] Note the fine was made by a state regulator and not the SEC.
[7] If this issue presents systemic risks as alleged, then perhaps the SEC should do more than just require a bunch of firms to go out of their wheelhouse to conduct superficial due diligence. Remember you are always fighting the last war so any likely problem is not the ones being looked for. See Proposal, page 10.
[8] See Proposal, page 146ff. Note for contrast that the SEC annual budget is $2.2 billion.
[9] The Proposal, page 100, indicates that “The average RAUM among RIAs was $8.45 billion and the median was $396.8 million.” This means that 50% of firms have under 400 million in leveraged assets (talk about inequality!). Based on current fees (which are very rarely the 2 and 20 that certain Commissioners like to cite), that is not a lot of assets to support the increased costs of operating a firm and the costs of this proposal of approximately 130k per firm in the first year and 40k per year on an ongoing basis, see page 146.
[10] This section answers Question 2, 59 and related questions.
[11] Proposal, page 101.
[12] https://www.sec.gov/news/press-release/2019-1. The publication of the names of service providers has so little justification that it almost seems like this part of the proposal is included just as a straw man with no purpose that can be sacrificed on the alter of compromise while keeping the rest of the requirements of the Proposal.
[13] Since traders are willing to pay for SRO information, it would appear to be a form of material non public information; NASDAQ, Inc. is not permitted to sell early access to its earnings information, why should it be able to charge for its trading data?
[14] See Proposal, page 66 ff. Although DERA has a separate budget, the head is appointed by the SEC Chair and therefore DERA is not independent in its ability to push back against Chair initiatives (which are the only kind there are in the SEC). DERA is generally relegated to the unenviable task of coming up with economic justifications for policies whether or not they actually think that they make sense.
[15] Preparing this information may cost the SEC a couple of million dollars, being generous, but could save investors hundreds of millions of dollars. One likely outcome of this Proposal, if adopted, is that more smaller firms will move to having their compliance consultants such as ACA, or their law firms, perform the due diligence. Many already do. So you then have 100s or thousands of firms paying for the same work, a great windfall for these service providers.
[16] This and the following paragraphs provide information on Q4-8, 12.
[17] In relation to moral hazard referenced by DERA, firms which do not take their fiduciary duties seriously are not going to have their actions significantly changed by this rule. It is non-cowboy firms which will be the most hurt by the costs of the rule but least needing additional instruction from the SEC.
[18] While Form ADV is being amended, a requirement to include actual AUM undermanagement should be included. The inclusion of only RAUM is misleading to investors (and, apparently, to the Chair).
[19] If the SEC is going to amend Form ADV, it should ask for an actual AUM number.
[20] Under this lack of diversity, see , for example, Commissioner Lizarrage https://www.sec.gov/news/speech/lizarraga-remarks-raising-bar-diversity-equity-and-inclusion-101322