SEC Proposes Rule for Investment Advisers Engagement of Service Providers

Last week, the Securities and Exchange Commission (the “SEC”) released a proposed rule (the “Proposed Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”) that, if adopted as proposed, would require SEC registered investment advisers (“RIAs”) meet certain minimum requirements before outsourcing certain services or functions related to their business.[1] In the accompanying press release, the SEC stated that the use of third-party service providers has increased, and the Proposed Rule would protect investors by ensuring that an RIA’s outsourcing “is consistent with [the RIA’s] obligations to their clients.”[2]  However, many in the industry have noted that the RIA already owes a duty to its clients in outsourcing services to third-parties and there is no evidence that RIAs currently misunderstand their fiduciary obligations in engaging and outsourcing services to third-parties.[3]

Generally, the Proposed Rule provides the manner in which an RIA must conduct diligence and oversee a third-party service provider that provides certain services for the RIA, including enhanced oversight of third-party recordkeepers. The Proposed Rule also would amend Form ADV to require RIAs disclose whether it outsources covered functions. 

A summary of some of the key elements of the Proposed Rule are described below:

Scope of the Proposed Rule

The Proposed Rule would create a new Section 206(4)-11, which would provide for an oversight framework covering RIAs that outsource “covered functions” to “service providers.” 

A “covered function” is defined in the Proposed Rule as a function or service that is both: (i) necessary in order for the RIA to provide investment advisory services in compliance with the Federal securities laws, and (ii) one that if it were not performed or were performed negligently, would be reasonably likely to cause a “material negative impact” on the RIA’s clients or on the RIA’s ability to provide investment advisory services.[4] Under the Proposed Rule, whether a service or function is a covered function is a facts and circumstances determination.[5]  However, the Proposed Rule provides a non-exhaustive list of examples which the SEC considers “covered functions” in the proposed amended Form ADV, where an RIA would have to disclose if the RIA outsourced certain enumerated functions.[6]  Additionally, clerical, ministerial or general office functions or services would not be “covered services” under the Proposed Rule.[7] 

The Proposed Rule defines a “service provider” as a person performing one or more covered functions that is not a “supervised person” under the Advisers Act.[8] 

Due Diligence and Oversight

If adopted as proposed, the Proposed Rule would require an RIA, before retaining a service provider to perform a covered function, to reasonably identify and determine through due diligence that outsourcing the covered function to that particular service provider would be appropriate.  In conducting its diligence, the RIA must consider:

  • the nature and scope of the covered function;
  • potential risks (and mitigation of risks) resulting from the service provider performing the covered function;
  • The service provider’s competence, capacity, and resources necessary to perform the covered function;
  • The service provider’s material subcontracting arrangements related to the covered function;
  • Coordination with the service provider for Federal securities law compliance; and
  • The orderly termination of the performance of the covered function.[9]

The Proposed Rule also would require the adviser periodically to monitor the service provider’s performance and reassess the selection of the service provider under the due diligence requirements of the rule.[10] Additionally, the Proposed Rule would require the RIA to report information about these service providers on Form ADV, and the RIA would have recordkeeping obligations related to its due diligence and monitoring of these service providers.[11]


Enhanced Oversight of Third-Party Recordkeepers

Under the Proposed Rule, if an RIA engages a third-party recordkeeper, the RIA will need to, in addition to the disclosure and oversight obligations outlined above, obtain reasonable assurances that the third party will meet four standards, which address the third party’s ability to:

  • Adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the applicable recordkeeping rule;
  • Make and/or keep records that meet the requirements of the applicable recordkeeping rule;
  • Provide access to electronic records; and
  • Ensure the continued availability of records if the third-party service provider ceased operations or terminated its relationship with the RIA.[12]


Comment Period

The public comment period for the Proposed Rule will remain open for at least sixty days following publication of the proposing release on the SEC’s website.


Whether or not the proposed rule would result in more thorough diligence than RIAs already conduct on non-ministerial/non-clerical third-party service providers is unclear.  However, if the Proposed Rule is adopted as proposed, it will cause RIAs to increase possibly expand or refine documentation of the diligence and oversight expressly required under the final rule.  If you have any questions about the Proposed Rule or about the regulation of investment advisers or broker-dealers generally, please feel free to contact us.

By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend

This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice.  Viewers should not rely on the posted materials as advice about specific legal problems.  Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved.  Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer.  If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.

[1] SEC Proposed Rule, Outsourcing by Investment Advisers, SEC Release No. IA-6176, available at (hereinafter, the “Proposed Rule”).

[2] SEC Press Release, SEC Proposes New Oversight Requirements for Certain Services Outsourced by Investment Advisers, October 26, 2022, available at

[3] Statement of Commissioner Mark T. Uyeda, Statement on Proposed Rule Regarding Outsourcing by Investment Advisers, available at

[4] Proposed Rule at 227.

[5] For example, the Proposed Rule describes an RIA’s engagement of a third party to provide valuation services as an example of a Covered Function, but notes that relying on common market data providers providing publicly available information would not be covered under the Proposed Rule.  See Proposed Rule at 24, footnote 39.  Further, the client’s selection of a custodian is not a covered function because it is the client, not the RIA, who engages the custodian. Proposed Rule at 21.

[6] See Proposed Rule at 227.  The non-exhaustive list of enumerated “covered functions” in the Form ADV would include adviser/subadviser; client servicing; cybersecurity; investment guideline/restriction compliance; investment risk; portfolio management; portfolio accounting; pricing; reconciliation; regulatory compliance; trading desk; trade communication and allocation; and valuation.

[7] Proposed Rule at 227.

[8] Proposed Rule at 227.

[9] SEC, Fact Sheet, Outsourcing by Investment Advisers, October 26, 2022, available at ia-6176-fact-sheet.pdf ( (hereinafter, the “Fact Sheet”)

[10] Fact Sheet.

[11] Fact Sheet.

[12] Fact Sheet.


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their