The Investment Adviser Association is requesting the SEC "step back and holistically consider the practical ramifications of the more than a dozen consequential new rules & proposals impacting advisers that the agency has issued since SEC Chair Gary"
The Investment Adviser Association is requesting the SEC "step back and holistically consider the practical ramifications of the more than a dozen consequential new rules & proposals impacting advisers that the agency has issued since SEC Chair Gary Gensler took office." They've commented, will you?
Look at the can kick!
In our letter, we note that, taken together, these regulations will significantly overhaul the current regulatory regime for advisers. If adopted, they also will disrupt existing infrastructures and relationships, with substantial implications for advisers, investors, service providers, and the markets. We further note that the SEC does not appear to fully appreciate the costs and efforts that will be required for advisers to implement these new regulations. Specifically, the IAA letter urges the SEC to:
Explicitly and cohesively address, prior to any adoption, the potential implications of the Outsourcing, Cybersecurity, Safeguarding and Regulation S-P Our letter explains how these four proposals are especially interconnected and include duplicative and potentially inconsistent requirements.
Undertake a more expansive, accurate, and quantifiable assessment of the cumulative costs, burdens, and other effects that all of these proposed regulations, if adopted, would impose on advisers, their clients, and other market participants.
Directly and accurately address how these regulations would affect smaller advisers and thoroughly consider and explicitly address alternatives.
Before taking final action on these regulations, seek public feedback on a comprehensive implementation timeline for tiered and staggered compliance requirements and dates for all these proposals.
Would you like to comment in response to this?
TLDRS:
- The Investment Adviser Association (IAA) has raised concerns about new regulations proposed by the SEC, arguing that they could disrupt existing infrastructure and relationships in the financial industry and potentially impose high costs on advisors.
- IAA has commented, will you?
The Investment Adviser Association (IAA)[1] commends the Commission for recognizing the need to consider and address the impact that certain recently proposed investment adviser regulations involving cybersecurity and data breaches may have on each other.[2] We strongly support enhancing the preparedness and resiliency of advisers against cybersecurity threats and protecting the data privacy of investors, and, in our comment letter on the Cybersecurity and Regulation S-P Proposals, we expressed our general support for Commission efforts to do so, subject to certain modifications.[3] While we appreciate that the Commission reopened the comment period on the Cybersecurity Proposal for this purpose, we feel compelled to note again that the Regulation S-P and Cybersecurity Proposals are just two among a series of more than a dozen consequential new rules and proposals – some that are highly interrelated – impacting advisers that the Commission has issued during the past two years that are unprecedented in their scope and speed (collectively, Adviser Proposals).[4]
When taken together, the Adviser Proposals, if adopted, will significantly overhaul the current regulatory regime under the Investment Advisers Act of 1940 (Advisers Act) and rules thereunder, requiring massive implementation efforts from advisers. They will also disrupt existing infrastructures and relationships, with substantial implications – foreseen and unforeseen – for advisers, investors, service providers, and the markets. Even if the Commission were to modify the Adviser Proposals pursuant to the recommendations we made in our comment letters,[5] there will be significant changes to current practices requiring substantial implementation efforts by advisers. The Commission has severely underestimated the costs of the Adviser Proposals – both in isolation and on a cumulative basis – for all advisers, and especially for smaller advisers. At the same time, it has, in our view, overestimated the potential benefits, and we are concerned that the Adviser Proposals collectively will harm rather than further the Commission’s stated goals.
We urge the Commission to consider the Adviser Proposals – including their costs and benefits – together and holistically, prior to adopting any more final rules relating to these proposals. In particular, we believe it is important for the Commission to consider the Regulation S-P, Cybersecurity, Outsourcing,[6] and Safeguarding[7] Proposals (collectively, the Four Proposals) together.[8] These proposals are especially interconnected, include duplicative and potentially inconsistent requirements, and address overlapping concerns. We discuss this overlap below.
We also make recommendations relating to implementation of the Adviser Proposals by advisers. Establishing a more reasonable implementation timeline will lessen some of the implementation burdens, which will be staggering regardless of whether the Commission addresses our substantive concerns with these proposals. For example, tiering and staggering compliance requirements would better enable advisers to implement and operationalize the many new requirements under the Adviser Proposals that we anticipate will be adopted within a short time of one another. A reasonable timeline would also demonstrate that the Commission appreciates that advisers will need to implement these new rules while at the same time maintaining and executing their existing compliance programs and, most importantly, continuing to serve their clients.
Specifically, we recommend that the Commission:
Explicitly address the potential implications of the Four Proposals cohesively prior to adoption.[9]
Undertake a more expansive, accurate, and quantifiable assessment of the cumulative costs, burdens, and economic effects that all the Adviser Proposals would impose on advisers, their clients, and other market participants.
Directly and accurately address how the Adviser Proposals would affect smaller advisers and thoroughly consider and explicitly address alternatives.
Before taking final action on the Adviser Proposals, seek public feedback on a comprehensive implementation timeline for tiered and staggered compliance requirements and dates for all these proposals.
We look forward to continuing our constructive engagement with the Commission on the Adviser Proposals and other important issues affecting investment advisers.
I. Explicitly address the potential implications of the Four Proposals cohesively prior to adoption.
A. We support the Commission’s consideration of the potential implications of the Regulation S-P and Cybersecurity Proposals together.
The IAA appreciates that the Commission has identified and is seeking comments on ways that the Regulation S-P and Cybersecurity Proposals interact. As further discussed in our Regulation S-P Letter, we highlight certain areas below where there is interplay between the Regulation S-P and Cybersecurity Proposals. We also agree with the Commission that these two proposals are based on distinct statutory requirements and serve related but separate objectives and support addressing these issues through separate rulemakings, as proposed. However, we strongly support the Commission’s efforts to assess the potential implications of these proposals cohesively prior to adopting them.
This Commission’s inquiry is necessary to help advisers develop coherent policies and procedures, avoid having to engage in unnecessarily redundant efforts, and lessen the risk that the interplay between these proposals could lead to technical noncompliance with one or both proposed rules. For example, the Regulation S-P and Cybersecurity Proposals both include requirements for advisers to create policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to adviser information systems. Advisers would also be required under both proposals to disclose publicly how they have addressed and remediated breaches. It would be helpful for the Commission to explicitly address how these requirements would interact with one another – e.g., whether they are inconsistent or duplicative – and how they would be implemented, especially on different timelines. We offer specific recommendations to address these and other concerns in our Regulation S-P Letter.
We are especially concerned with the requirements in both proposals for advisers to negotiate new or renegotiate existing contracts, often with the same parties, but with different requirements and different implementation timelines. We address this concern below since it is front and center in each of the Four Proposals.
B. We urge the Commission to evaluate the Four Proposals holistically before considering final action on any of them.
The IAA strongly encourages the Commission to expand its inquiry to also include the Outsourcing and Safeguarding Proposals prior to taking final action on any of the Four Proposals. Specifically, we believe that the Four Proposals should be evaluated cohesively by the Commission to assess how they interact with one another and their overall likely impacts. This evaluation should also consider commenters’ collective feedback on each of the Four Proposals and how that feedback informs the Commission’s holistic review. Following that evaluation, the Commission could (i) adopt rules or, as an alternative, guidance, that reflect this holistic assessment, (ii) share its thinking and preliminary conclusions and reopen the comment periods to allow for public feedback on its evaluation, and/or (iii) withdraw and repropose the Four Proposals with significant modifications.[10]
While the Commission has recognized the potential interaction between the Regulation S-P and Cybersecurity Proposals, it has not explicitly addressed the implications of that interaction and how concerns may be mitigated. Nor has it addressed how these proposals may overlap or interact with the Outsourcing and Safeguarding Proposals, which are also closely related. We believe that only by considering the Four Proposals together will the Commission be able to identify and address, and, if warranted, provide guidance on, aspects of these proposals that, among other things: overlap or are duplicative; conflict or could lead to inconsistent results; may result in the inefficient or unnecessary deployment of valuable resources by advisers; or could lead to unintended consequences to the detriment of advisers, investors, and the markets.
A more holistic consideration of the Four Proposals would also enable the Commission to evaluate whether the proposals could be modified to achieve the Commission’s goals through a more targeted and less onerous approach than what has been proposed, and/or where guidance would be helpful.[11] Unless these concerns are addressed up front, advisers will incur unnecessary and significant legal and compliance fees as they attempt to navigate how to comply with any final requirements. Moreover, the Commission will have to devote substantial time and effort to issuing clarifying guidance or relief after the rules are adopted.
We offer the following examples relating to the proposed requirements for contractual terms and the treatment of custodians to demonstrate some of the complexity of the interrelationships among the Four Proposals and highlight just a few of the many challenges advisers are likely to face as they try to implement each proposal, if adopted substantially as proposed.
Implications of contracts and reasonable assurances requirements. As with the Regulation S-P and Cybersecurity Proposals, the Outsourcing and Safeguarding Proposals would each also require advisers to negotiate contractual terms with or obtain reasonable assurances from various service providers.[12] Indeed, advisers would need to negotiate or renegotiate required terms four different times, often with the same parties but with different deadlines within a fairly short period.[13] As discussed in our comment letters on each of these proposals, these terms may be inconsistent with the business imperatives of service providers, and even where they are not, service providers have little incentive – whether regulatory or economic – to negotiate specific terms with advisers. Moreover, most advisers have little to no leverage to compel them to do so, thus calling into question the effectiveness of these proposed requirements. Given these real-world practical constraints, the Commission is essentially asking advisers to devote substantial resources repeatedly to efforts that may not generate the required results, could divert advisers from focusing on risks or concerns more specific to their businesses, and could lead to multiple instances of technical noncompliance.
The specific terms that would need to be negotiated in three of the Four Proposals are also overlapping and thus confusing. For example, the Outsourcing Proposal would require that advisers obtain reasonable assurances from service providers with respect to their ability to meet the proposed due diligence and recordkeeping standards. By contrast, the Regulation S-P Proposal would require policies and procedures that require covered institutions to enter into a written contract with each service provider requiring that it take appropriate measures designed to protect against unauthorized access to or use of customer information. And the Cybersecurity Proposal would require a written contract relating to the cybersecurity controls of third-party service providers. It is not at all clear how advisers are expected to interpret and apply these different but related requirements in different negotiations with the same or related service providers.[14]
Interplay and lack of clarity with respect to custodians. The interplay between the Outsourcing and Safeguarding Proposals raises additional issues with respect to the treatment of custodians. In our recently submitted Supplemental Outsourcing Letter,[15] we asked the Commission to make clear, if it adopts a final outsourcing rule – which we recommend against – that custodians are outside the scope of that rule. As discussed in that letter and in our Safeguarding Letter,[16] a custodian contracts directly with its customer to provide it with custody services and the adviser has no privity of contract with the custodian with respect to that relationship or those services. The Outsourcing Proposal suggests that these custodians would not be covered by that proposed rule. However, because the Safeguarding Proposal proposes to capture all discretionary trading under the definition of custody, it would require at least one contract between every adviser that exercises discretionary authority (over 90% of advisers)[17] and every custodian with which the adviser’s clients have a relationship. This sudden and unexpected privity of contract could make all custodians “Service Providers” under the Outsourcing Proposal, subjecting advisers to all the requirements under the Outsourcing Proposal, including another round of negotiation of specific terms. We do not believe that this is or should be the Commission’s intention.
In addition to the myriad other concerns we have expressed regarding the proposed contractual/reasonable assurances requirements – including relating to applying the anti-fraud provisions of the Advisers Act to technical foot-faults, we are concerned about the implications for the adviser’s clients. If the adviser were unable to get a custodian to agree to any of the specific required terms under either of these proposals, the adviser would not be able to use that custodian, but nor would its clients. The adviser’s clients would need to switch custodians if they wanted to stay with the adviser, or switch advisers if they wanted to stay with the custodian. We do not believe that the Commission intends to limit clients’ choice this way or for these rules to be so disruptive to clients.
Increased cybersecurity risks. We are concerned about situations where the Four Proposals could result in additional significant unintended consequences, some that may lead to increased risk and substantial investor harm. For example, the specificity of the proposed disclosure requirements – directly to clients or in Form ADV filings – in the Regulation S-P, Cybersecurity, and Outsourcing Proposals could lead to further cybersecurity attacks against advisers and their clients. Each of these proposed requirements raises the concern that cybersecurity threat actors will be provided with a roadmap for further attacks through public disclosures – for example, through a description of a firm’s cybersecurity remediation efforts. Public disclosures that indicate which service providers serve which advisers – as would be required, for example, by the Outsourcing Proposal – would also be a temptation for threat actors. These concerns are greatly exacerbated each time the Commission calls for additional public disclosure of sensitive information that is not decision useful for clients. Our concerns about data security extend to non-public disclosure as well.
Given that no one is fully immune to attacks, the Commission should consider the risk that a cybersecurity breach of the Commission’s systems storing the various regulatory reports, especially along with other non-public sensitive information, could provide cybersecurity hackers a treasure trove of information relating to an adviser’s system weakness or vulnerabilities or a service provider’s sensitive proprietary information. While we have recommended confidential (rather than public) treatment of certain information that the Commission proposes to require,[18] we again urge the Commission to proceed cautiously before requiring advisers to report an ever-greater amount of information that could be harmful to them and their clients if inadvertently or maliciously disclosed or abused.
As explained in our various comment letters on the Four Proposals, there are likely to be other harmful downstream effects on investors, which are likely to bear many other costs of these proposals, whether directly or indirectly. For example, advisers may have to use service providers that are not their top choice, or bring more outsourced functions in house where it might be better for the adviser and its clients for the function to remain outsourced.
For these reasons it is incumbent on the Commission to conduct a more thorough and comprehensive evaluation of how the Four Proposals align or conflict with one another so that it can identify and address these and other areas of concern prior to any final action on a rule. Otherwise, advisers will face significant challenges in understanding and implementing the resulting regulatory obligations, which could lead to confusion, inefficiency, and unintentional compliance failures, all of which would directly undermine the goals of the rulemakings.
II. The Commission should undertake a more expansive, accurate, and quantifiable assessment of the cumulative costs, burdens, and economic effects of the Adviser Proposals and consider alternatives.
The IAA and other commenters have repeatedly urged the Commission to consider proposed regulations holistically and to assess the cumulative impact of regulations, both existing and proposed. We believe it is imperative for the Commission to carefully conduct robust cost-benefit analyses, not only of each regulatory proposal in isolation, but of their cumulative effects on advisers, their clients, and the financial services landscape more broadly. For example, there can be no doubt that the costs of compliance – direct and indirect – rise with each regulation and directly impact the ability of advisers to invest in other aspects of their businesses, including the resources available for client-facing efforts.
These considerations need to be part of the Commission’s broader assessment of the Adviser Proposals and we are troubled that they are not being directly addressed. We are also troubled that the Commission moves ahead with such consequential proposals when its assessment of potential costs and benefits is acknowledged to be highly theoretical and not based on or supported by factual data.[19] Thus, we again call upon the Commission to undertake a more expansive, accurate, and quantifiable assessment of the specific costs, burdens, and economic effects that would be placed on advisers to implement the Adviser Proposals. Specifically, we recommend that the Commission holistically consider the cumulative costs and burdens of existing regulatory obligations along with proposed and adopted regulations. We also urge the Commission to include in this assessment the likely costs and negative impacts of the Adviser Proposals for investors and the financial services landscape more broadly. The Commission should also consider and propose alternative approaches to balance the costs and potential benefits more appropriately.
III. The Commission should directly and more accurately address how its proposed regulations would affect smaller advisers and propose reasonable alternatives.
The IAA has long advocated for the Commission to realistically consider the impacts of its regulations on smaller advisers, which have been disproportionately burdened by one-size-fits-all regulations – both in isolation and cumulatively. New regulations, especially when they are prescriptive, often require substantial fixed investments in infrastructure, personnel, and technology. Depending on the requirements, they may need new or upgraded systems, relating, for example, to documentation and recordkeeping, contract and vendor management, compliance monitoring and testing, operations, custody, business continuity planning, and more. They may also need to expend significant resources on outsourcing, as well as on legal and consulting services. In addition to the considerable burdens borne directly by these smaller advisers, these costs could create meaningful barriers to entry for emerging advisers, and increase pressure on existing advisers for industry consolidation, thereby reducing competition and the investment choices available to investors.
We have frequently called on the Commission to take steps to tailor its rules to minimize these impacts, for example through preserving a flexible, risk- and principles-based approach, excluding or exempting smaller advisers from specific requirements where the burdens on those advisers outweigh the benefits, and tiering and staggering compliance timetables.
Unfortunately, the Commission, as a practical matter, does not accurately analyze the impact of its regulations on small advisers as required under the Reg Flex Act,[20] because virtually no SEC-registered advisers fall under the “asset-based” definition of small adviser adopted by the Commission. Yet, by any rational measure, the vast majority of advisers are small businesses.[21]
Specifically, the Commission adopted Rule 0-7 under the Advisers Act defining “small business” or “small organization” for purposes of treatment as a “small entity” under the Reg Flex Act as including an investment adviser that has less than $25 million in assets under management. However, with few exceptions, advisers are not permitted to register with the Commission unless they have at least $100 million in assets under management, thus making any analysis the Commission does regarding the impact on smaller advisers virtually meaningless.
Accordingly, we plan to formally petition the Commission to publish for notice and comment an updated and amended definition of “small entity” for purposes of the Reg Flex Act that will enable the Commission to more realistically[22] consider the significant and disparate impact of new regulations on smaller advisers and to propose reasonable alternatives.[23] We cannot overstate the impact on our many members that are in fact small businesses of the cumulative costs and burdens of implementing all these new regulations, if adopted.
IV. The Commission should seek public feedback on a comprehensive implementation timeline with tiered and staggered compliance dates for the Adviser Proposals.
We appreciate that the Commission has previously proposed staggered implementation periods, including some that are based on firm size per our suggestion,[24] and we urge it to continue to do so, including for all the Adviser Proposals. The transition periods proposed for each of these proposals are both unreasonable and unrealistic, especially combined, and they demonstrate that the Commission does not fully appreciate the steps that advisers take to implement new regulations, or that new requirements will be layered on top of the extensive existing requirements and advisers’ ongoing implementation of their compliance programs. It is especially important for the Commission to recognize these challenges given the strong likelihood that advisers will need to implement several major new rules concurrently. We urge the Commission to consider the vast scale and complexity of the Adviser Proposals, as well as existing compliance obligations, and adopt a more comprehensive, reasonable, and workable timeline for compliance.
Should the Adviser Proposals be adopted substantially as proposed, it will take significant time and immense effort for advisers to align current compliance and business practices with each of the many prescriptive regulatory requirements under the Adviser Proposals. For example, advisers would need to: establish compliance budgets; develop project timelines; analyze the rules and evaluate how they affect their business; attempt to negotiate or renegotiate written agreements; prepare for new reporting and recordkeeping obligations; draft, update, and implement an internal controls approach; work with internal and external parties (e.g., compliance, legal, and other service providers); and conduct training. All while allowing sufficient lead time prior to the compliance date to receive and integrate deliverables from service providers – which will be strained by the new demands on them and have their own timetables – put systems and controls in place and test them, and train personnel.
Even if the Commission accepts all the IAA’s recommendations on the Adviser Proposals, the sheer scale and speed of these rulemakings will still impose enormous costs on and require enormous efforts from advisers. Advisers will still need to take virtually all the steps described above to develop and/or refine the risk- and principles-based controls necessary to comply with the many new requirements and apply any new Commission guidance. While new requirements will be narrower, principles-based, and more targeted to their business and current internal controls – making their implementation substantially less disruptive – advisers will nonetheless face virtually unprecedented challenges to implement the new rules.[25]
Whether adopted substantially as proposed or with significant modifications, the many challenges associated with these new regulations and proposed compliance dates will without doubt demand advisers to devote significant and increased operational, personnel, and compliance resources during an unreasonably short period of time. Under the compliance periods currently contemplated by the Commission, advisers will be forced to re-allocate the time and resources that are already budgeted to – and for the existing needs of – their compliance programs to implement these new regulations concurrently and in a compressed time frame. It is imperative for the Commission to carefully consider the cumulative effects that all these regulations will have on advisers’ operational limitations and, more importantly, resource constraints, in determining the compliance dates of each of the Adviser Proposals.
The following graph illustrates the daunting task advisers would face in implementing the Adviser Proposals under the timelines being proposed by the Commission.
The graph illustrates that advisers would:
Be required to implement the Adviser Proposals during compressed and overlapping compliance periods while attempting to comply with existing ongoing regulatory obligations designed to ensure a robust compliance culture at the adviser and protect investors. For example, the graph includes required Annual Reviews of compliance programs[26] and Annual Updates to Form ADV.[27] But it is critical to bear in mind that investment advisers are subject to an extensive array of other ongoing regulatory obligations intended to protect investors (g., compliance with the expansive requirements of the new Marketing Rule, recordkeeping,[28] and other reporting and disclosure obligations, to name just a few).
Be required to comply with 13 new regulations (listed in Exhibit A) requiring massive resources and implementation efforts within 28 months. By contrast, the Commission provided advisers an 18-month transition period to implement the Marketing Rule alone.[29]
Have approximately 16 overlapping months to implement the substantial requirements of just the Four Proposals (Regulation S-P, Cybersecurity, Outsourcing, and Safeguarding).
Accordingly, the IAA recommends that the Commission seek feedback from all interested commenters (including affected service providers and custodians) for a comprehensive and practicable approach to staggered transition periods that would allow advisers to manage implementation in a workable, organized, and resource-efficient matter. Specifically, the IAA recommends that, whether the Adviser Proposals are finalized substantially as proposed or with modifications – for example, as the IAA has recommended – the Commission publicly put forth a comprehensive timeline for staggered compliance for all the Adviser Proposals (e.g., on the SEC’s website) over at least the next five years (as opposed to under three years as proposed) that: (i) allows advisers to efficiently implement the new rules in a manner that minimizes costs and burdens to the extent feasible and avoids adversely disrupting the effectiveness of existing compliance programs; (ii) permits partial or rolling compliance dates for certain interconnected provisions of the Adviser Proposals (a “tiered” approach); (iii) would be considered when the Commission subsequently proposes new rules within this time frame; and (iv) takes into consideration and provides alternatives based on firm size, given the costs and resource constraints of smaller advisers as discussed above.
Given the importance of this matter to the IAA and our members, we would welcome the opportunity to work with the Commission and its staff in developing a reasonable and workable comprehensive compliance timeline for implementation.
