The FRB, FDIC, and OCC recently issued principles-based guidance on managing third-party relationships, a markedly different approach from the SEC's more prescriptive proposal, which codifies and expands its longstanding practice of reviewing diligence and oversight of service providers. While the approaches differ, widespread regulatory activity in this space highlights the need for global investment managers and other financial institutions to carefully review their practices, policies, and procedures concerning third-party providers.
Interagency Guidance on the Use of Third Parties
On June 9, 2023, the Federal Reserve Board (the "FRB"), the Federal Deposit Insurance Corporation (the "FDIC"), and the Office of the Comptroller of the Currency (the "OCC") (collectively, the "Agencies") issued final joint guidance (the "Interagency Guidance") on managing risks associated with third-party relationships.1 Prior to the Interagency Guidance, the Agencies had each issued guidance to ensure that banks under their supervision complied with applicable laws and regulations and operated in a safe and sound manner when activities were performed by third parties. The Interagency Guidance replaces previous guidance from the Agencies and provides a principles and risk-based approach to thirdparty risk management applicable to a wide range of third-party relationships.
For example, the Interagency Guidance advises banks to tailor their risk-management practices in accordance with several factors, including the size and complexity of the bank and the risk profile and nature of the third-party relationship. Where a third-party relationship supports a higher-risk activity, such as a "critical activity," the guidance suggests that banks should consider adopting more comprehensive and rigorous oversight.
The Interagency Guidance also acknowledges that third-party risk management tends to follow a continuous lifecycle for third-party relationships and lays out specific guidance for banks as they engage in each of the following activities: (i) planning; (ii) due diligence and third-party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. The Interagency Guidance further describes three categories of governance that banking organizations should consider when structuring their risk management processes: (i) oversight and accountability; (ii) independent reviews; and (iii) documentation and reporting.
The Interagency Guidance provides a principles and risk-based approach and is explicit in stating that the examples it provides are "merely illustrative, not requirements, and may not be applicable or material to each banking organization or each third-party relationship." The Interagency Guidance further emphasizes that the examples it provides "are not intended to be interpreted as exhaustive or to be used as a checklist." Nonetheless, the Interagency Guidance identifies important issues and specific guidance for banking organizations to consider throughout the lifecycle of their third-party relationships, and we note that the Interagency Guidance will still inform the Agencies during their examinations of banking organizations.
SEC Proposal on Outsourcing by Investment Advisers
In the Proposed Rule, the SEC has taken a more prescriptive approach.2 The Proposed Rule would prohibit investment advisers from using a service provider to provide a "covered function"3 unless the investment adviser adheres to a prescribed six-part due diligence process before engaging with the service provider. The investment adviser would also need to perform ongoing monitoring, diligence, and recordkeeping to ensure that it remains appropriate to continue outsourcing each covered function and that it remains appropriate to retain the specific service provider providing each covered function. The Proposed Rule would also make changes to Form ADV that would require investment advisers to publicly list the service providers that perform covered functions and include, among other things, information about the services provided, when the services began, and whether the service provider is a related person of the investment adviser.
The Proposed Rule has received significant pushback. Many have questioned the need for the Proposed Rule, including Commissioner Peirce, who noted that the Proposed Rule release itself confirms that an adviser already "remains liable for its obligations, including under the Advisers Act, the other Federal securities laws and any contract entered into with the client, even if the adviser outsources functions." Others, including Commissioner Uyeda, have pointed to the broad scope of the "covered function" definition, noting that, while the SEC suggests the definition is "designed to apply in the context of outsourcing core advisory functions," the definition is broad enough to subject virtually any outsourced function to the due diligence and monitoring obligations of the Proposed Rule.
The definition of "service provider" has also raised concerns from some in the industry as it would, as currently drafted, encompass affiliated service providers, including some that are already subject to the supervisory controls of the investment adviser. In addition, commenters have pointed to the logistical difficulties involved in complying with the sixpart due diligence requirement for potentially dozens of outsourced activities and have raised concerns that such a requirement could lead due diligence on outsourced activities to move away from thoughtful, careful review to a rote check-the-box exercise.
Conclusion
While further action on the Proposed Rule is not expected until April 2024, it is important to note that, at present, investment advisers remain liable for their obligations under the Advisers Act, even if those functions are outsourced. We further note that, even absent the Proposed Rule, the SEC is actively monitoring this space, having stated in its 2023 Exam Priorities that it is focused on the selection and use of third-party service providers that funds use to conduct their activities. Despite their different approaches, the Interagency Guidance and the Proposed Rule showcase the importance that regulators are placing on the oversight of service providers. Investment managers and other financial institutions should carefully consider their approach to developing third-party service provider relationships and to managing and overseeing such relationships throughout their lifecycles.
Footnotes
1. Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 9, 2023), available at https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management.
2. For additional insight into the Proposed Rule, please see our previous client note: Outsourcing by Investment Advisers: SEC's Proposed Rule Irks Industry.
3. The Proposed Rule would define a "covered function" to mean "a function or service that is necessary for the investment adviser to provide its investment advisory services in compliance with the Federal securities laws, and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser's clients or on the adviser's ability to provide investment advisory services." The definition also clarifies that "[a] covered function does not include clerical, ministerial, utility, or general office functions or services."
We are also grateful to Bhavishya Barbhaya, Haanbee Choi, Michal Folczyk, Matthew Gallot-Baker, and Daniel Kim for their contributions to this regulatory update.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
