How New SEC Proposal Impacts Outsourcing Due Diligence and Oversight


Citisoft’s Outlook 2023 gives a great insight into the solutions strategy evolution occurring in the investment management industry as well as varying service provider models (proprietary, partnership, and open architecture). Many investment advisors will be aware that these changes are happening concurrent to a recent SEC proposal relevant to outsourcing. The proposed new rule (206(4)-11 under the Investment Advisors Act of 1940) would prohibit registered investment advisors from outsourcing covered functions without the appropriate initial due diligence, continued and consistent monitoring of the service providers, and the requisite oversight of outsourced services.

With many asset managers considering changes to their outsourcing partnerships or service levels, this regulation may come into play in assessing solution provider options. In particular, the willingness of service providers to pull back the curtain on their operational and technical models may be an important factor in selection.

In other Citisoft blogs, we have discussed the trends in oversight models and the growing focus in this area. With the advent of proposed SEC rule 206(4)-11, the “right” level of due diligence and oversight will be more clearly mandated by the SEC. Therefore, advisors should operate under the assumption that there will and should be a greater scrutiny on the toolsets required for daily and periodic oversight by service providers. When conducting request for proposals and proof of concepts with various service providers, the due diligence and oversight capabilities provided should also be reviewed and appropriately weighted into the service provider selection process.

Due diligence and oversight capabilities to be explored should include but not be limited to the following:

  • Service provider due diligence documentation and transparency
    • Has the service provider conducted the necessary initial and continued due diligence into their contracted service providers/subcontractors, and vendors, and do they make this transparent to their outsourcing clients via shared documents and/or dashboards?
    • Does the service provider provide notification to outsourcing clients when they change their service providers and vendors?
  • Accessibility and ease of internal implementation
    • Are your users required to login to a service providers various applications to determine the state of play for the day or is there a central communication point for functional reviews?
    • What security is in place to ensure non-client users will not be able to access sensitive client information?
    • What degree of integration and/or development is required by their clients to use the due diligence and oversight capabilities?
  • Degree of automation and transparency into processes
    • Do functional dashboards with click-thru capability to underlying processes and/or data exceptions exist or is the user required to review a slew of reports delivered via SFTP and/or email to find the needle in the proverbial haystack?
    • If functional dashboards do exist, do they follow well documented workflows and utilize workflow automation tools?
    • Can the client assess the state of play for a function at a glance?
    • What archive capabilities are available for this toolset?
  • Interactive communication capabilities with archive capabilities
    • How will the service provider be able to communicate exception issues requiring input from the client? Is this communication tool integrated into the oversight toolset provided by the service provider? Does the communication toolset provide traceability of this issue until resolution?
    • What archive capabilities are available for this toolset?
  • Data quality, readiness, accessibility, and delivery
    • Does the service provider have a flexible but well documented set of data checks conducted on the data before it is shared with the client? Can data quality checks be customized per client requests?
    • How is data readiness defined by the service provider? Will the service provider share data prior to it being fully “ready”? For example, will security master data be shared prior to its enrichment and scrubbing with the advisor?
    • How is end state data provided by the service provider to the advisor? Will the advisor receive numerous files via SFTP and/or has the service provider embraced the cloud and requires the advisor to embrace it as well?
    • Is the service provider compliant with global recordkeeping requirements as applicable to the advisor and will they make these easily accessible to the advisor during the agreed period of retention and be willing to provide access even if the relationship between the service provider and advisor is terminated?

As stated in the SEC proposal, “Outsourcing a service also presents a conflict of interest between an adviser providing a sufficient amount of oversight versus the costs of providing that oversight or the cost of the adviser providing the function itself. Poor oversight could lead to financial losses for the adviser’s clients, including through market losses and as a result of increased transaction costs or the loss of investment opportunities. Excessive oversight can result in costs to the adviser, and potentially its clients, that outweigh the intended benefits.” Each advisor must calculate the risks and costs associated with outsourcing, but a well-defined and developed client oversight toolset could tip the scale in favor of a particular service provider.