IAA Submits Supplemental Letter on Outsourcing Proposal
April 20, 2023
Ms. Vanessa A. Countryman
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
Re: Outsourcing by Investment Advisers (SEC Rel. No. IA-6176; File No. S7-25-22)
Dear Ms. Countryman:
The Investment Adviser Association (IAA) is submitting these supplemental comments (Supplemental Letter) on the Commission’s proposed new rule and related disclosure and recordkeeping amendments that would prohibit SEC-registered investment advisers from outsourcing certain services or functions to service providers without meeting minimum specified requirements. We are submitting this Supplemental Letter outside of the official comment period and request that the Commission nevertheless consider our additional comments. We also request that the Commission formally reopen the comment period for the Proposal to provide all interested parties with the opportunity to consider and comment on the interplay among the Proposal and other interrelated rule proposals.
While we understand the Commission’s objectives, we reiterate our belief that this Proposal is unnecessary and unwarranted. As we discussed in our initial letter on the Proposal, an adviser’s outsourcing oversight is currently required by its fiduciary duty. In addition, the Commission has significantly underestimated the potential costs and burdens of the Proposal, and it fails to consider the Proposal’s cumulative impacts and interrelatedness with other rulemakings. If adopted, the Proposed Outsourcing Rule and related amendments will have sweeping implications for all advisers, their service providers, and their clients, with disproportionate negative consequences for smaller advisers and their clients, as well as for smaller service providers. Accordingly, we again urge the Commission not to move forward with the Proposal.
If, despite the concerns expressed by the IAA and most of the other substantive commenters, the Commission nonetheless decides to move forward, this Supplemental Letter reflects our specific comments and recommendations for alternatives that would achieve the Commission’s objectives with greater efficiency and effectiveness and fewer operational and cost burdens for investment advisers.
I. Executive Summary
A. To the extent the Commission perceives gaps in adviser oversight of service providers, it should:
- Confirm that Rule 206(4)-7 (Compliance Rule) requires advisers to adopt and implement written policies and procedures, pursuant to their fiduciary duty, that are reasonably designed to prevent violation by the adviser and its supervised persons of the Advisers Act and the rules adopted thereunder, including related to outsourcing oversight; and
- Consider issuing guidance designed to assist advisers in improving their service provider oversight processes while allowing them to preserve and leverage as much of their existing oversight infrastructure as possible.
B. If the Commission nevertheless determines to move ahead with a new rule related to outsourcing oversight, it should significantly modify the structure and scope of and the requirements under the Proposed Outsourcing Rule.
- Structure of a new rule. Any final rule should use a principles- and risk-based approach that allows advisers to identify and tailor their oversight of outsourced Covered Functions based on the facts and circumstances applicable to their outsourcing to Service Providers, and is less likely to result in “foot-fault” violations.
- Scope of a new rule.
- The Commission should refine and clarify the definition of “Covered Function,” which, as proposed, could potentially capture a very large number of functions and services even though statements in the Proposal indicate that this is not the Commission’s intent.
- Any final rule should be limited to core advisory functions under the Advisers Act.
- The definition should be modified further to provide additional clarity.
- We offer an alternative definition that we believe would more appropriately narrow and clarify these functions and services.
- The proposed definition of “Service Provider” is also unrealistically broad, reaching service providers where there are little or no marginal benefits to their inclusion and the costs to advisers would be substantial. We thus recommend that the Commission exclude certain categories of service providers either because they are already subject to robust Federal financial services regulation or generally do not raise the concerns underpinning the proposed definition. Specifically, we recommend exclusion of:
- Affiliated service providers operating under a shared services or similar model;
- Entities regulated by the Commission or another Federal financial regulator;
- Fund service providers; and
- The Commission should refine and clarify the definition of “Covered Function,” which, as proposed, could potentially capture a very large number of functions and services even though statements in the Proposal indicate that this is not the Commission’s intent.
- Due diligence and monitoring requirements under a new rule.
- We generally oppose prescriptive, one-size-fits-all due diligence and monitoring requirements. We are concerned that prohibiting outsourcing of Covered Functions unless a prescribed six-element checklist is met will effectively impose a strict liability standard on advisers that unnecessarily raises regulatory risk and could upend existing outsourcing and service provider relationships that operate effectively today. We urge the Commission instead to require that due diligence be risk-based and include a reasonableness standard relating to the adviser’s performance of its due diligence. We offer alternative text for consideration by the Commission.
- We also offer specific comments on or modifications to the six proposed due diligence requirements should the Commission decide to retain any of them in the final rule text. We strongly recommend that the Commission eliminate from the Proposed Outsourcing Rule text the requirements relating to subcontracting arrangements and obtaining reasonable assurances. We offer suggestions for how the Commission could instead provide guidance on due diligence and make additional recommendations that we believe would make a final rule more workable.
- We also recommend that the Commission exclude the prescribed due diligence requirements from any monitoring requirement and allow advisers to similarly tailor monitoring to their particular facts and circumstances.
C. Comments and recommendations relating to proposed amendments to Form ADV. The Commission should not prescribe Covered Function categories and should allow advisers to list those functions or services that they have determined to be Covered Functions that are outsourced to a Service Provider. We also urge the Commission to keep information relating to specific Service Provider relationships confidential to reduce the risk of potential cybersecurity incidents and protect advisers’ and Service Providers’ proprietary information and business interests.
D. Comments and recommendations relating to proposed changes to the Recordkeeping Rule. We recommend that, instead of creating overly prescriptive recordkeeping requirements, the Commission require advisers to have reasonably designed policies and procedures to ensure that records relating to outsourcing of Covered Functions and outsourced recordkeeping are appropriately made and maintained. We offer alternative rule text that reflects our recommendations.
E. Comments and recommendation relating to transition period. The proposed 10-month transition period for all advisers is unreasonably short and does not take into account the time and effort that would be required to implement new oversight requirements. If the Commission moves ahead with a final rule, we believe that a significantly longer transition period will be required to prevent industry disruption and urge the Commission to provide staggered compliance periods of at least 18 months for larger advisers and 24 months for smaller advisers.
F. Comments and recommendation to reopen the comment period. The Commission should formally reopen the comment period for the Proposal to provide interested parties with the opportunity to consider and comment on the interplay among the Proposal and other rule proposals, including, g., cybersecurity, safeguarding of client assets, and Regulation S-P, and the cumulative impacts of proposed and existing rules.
II. IAA Comments and Recommendations
A. If the Commission perceives gaps in investment adviser oversight, instead of adopting a new rule, it should confirm that the Compliance Rule requires reasonably designed policies and procedures on outsourcing oversight and consider issuing guidance to assist advisers in improving their oversight processes.
As the Proposal notes, the use of service providers by advisers has grown tremendously in recent years in light of the expansion of services provided by advisers and the increase in demand for such services. We agree with the Commission’s view on the benefits of service providers to advisers, including, but not limited to, the ability to “access … certain specializations or areas of expertise, reduce risks of keeping a function in-house that the adviser is not equipped to perform, or otherwise offer efficiencies that are unavailable to or unachievable by an adviser alone.”
Most critically, we agree with the Commission regarding advisers’ current responsibilities with respect to outsourced advisory services: “[w]hen an investment adviser holds itself out to clients and potential clients as providing advisory services, the adviser implies that it remains responsible for the performance of those services and will act in the best interest of the client in doing so,” and outsourcing a particular advisory function or service does not change that obligation. We also agree that an adviser cannot waive its fiduciary duty to its clients, which extends to those advisory services to which the adviser and its clients have agreed.
We again urge the Commission to analyze whether the Proposed Outsourcing Rule is necessary against the backdrop of these current obligations and the existing outsourcing oversight infrastructure that advisers have adopted to support these responsibilities.
To the extent the Commission perceives weaknesses in current oversight frameworks, it should confirm that the Compliance Rule in effect today requires reasonably designed policies and procedures on outsourcing oversight pursuant to an adviser’s fiduciary duty. The Compliance Rule has been remarkably successful, and its significance and potential application in this context should not be minimized. Its principles-based features have enabled the Commission and its staff to adapt the rule to new and evolving issues that were not contemplated when the rule was adopted, and it is sufficiently flexible and robust to cover an adviser’s outsourcing oversight without the need for a separate rule.
We recommend further that the Commission consider issuing guidance designed to assist advisers in improving their oversight processes while allowing them to preserve and leverage as much of their existing outsourcing oversight infrastructure as possible.
For example, the Division of Examinations could issue a risk alert that reminds advisers of their existing fiduciary duties and how those duties apply to outsourcing oversight. If, following the publication of that risk alert, the Commission identifies widespread issues with advisers’ policies and procedures related to outsourcing oversight, it could consider additional guidance.
Any Commission guidance should make clear that advisers should apply risk-based due diligence to their identification and outsourcing of core advisory functions. Advisers should first identify factors creating risk exposure for the adviser and its clients from such outsourcing in light of its particular operations, i.e., conduct a risk assessment, and then design policies and procedures that address those risks, including policies and procedures relating – and that take a risk-based approach – to due diligence and monitoring.
The Commission could include the following non-exhaustive factors in its guidance for consideration by advisers, which could incorporate these factors regardless of their approach to their risk assessment:
- the extent of any direct impact on the adviser’s ability to provide core advisory services;
- the extent to which and the duration that the adviser would be unable to deliver core advisory services to its clients without the relevant core advisory service;
- the potential magnitude of financial, reputational, and operational impact on the adviser of the failure of a service provider to perform a core advisory service;
- whether the magnitude of potential monetary losses or other harms to an adviser’s clients resulting from the failure of a service provider to perform could be substantial;
- the impact of outsourcing the task on the ability and capacity of the adviser to comply with Advisers Act regulatory requirements and changes in requirements;
- the impact of the core advisory service on the data security and data integrity of the adviser and its clients; and
- the degree of difficulty and time required to select an alternative service provider or to bring the function in-house.
B. If the Commission nevertheless decides to move ahead with a new rule related to outsourcing oversight, it should significantly modify the structure and scope of and the requirements under the Proposed Outsourcing Rule.
If, despite the serious concerns expressed by the IAA and the majority of the other substantive commenters, the Commission nevertheless determines to move ahead with the Proposal, we offer comments and recommendations that we believe could allow the Commission to: (i) achieve its objectives while streamlining unnecessary operational and compliance burdens on advisers and service providers, and (ii) minimize potential unintended consequences on advisers, service providers, and clients. We urge the Commission not to move ahead with the Proposal without making the changes that we recommend.
1. Structure of a new rule: Any new outsourcing rule should be principles- and risk-based.
As currently drafted, the Proposed Outsourcing Rule would potentially chill beneficial outsourcing not only because of its breadth and ambiguity, but also because of its prescriptive nature. By prohibiting an adviser from retaining Service Providers covered by the rule unless several specific due diligence conditions are met, the rule would shift advisers’ existing oversight processes into a prescribed check-the-box approach that would make “foot-fault” violations more likely, significantly raising the risk that an adviser could be found to have committed fraud on its clients despite having acted in good faith. Thus, if the Commission does proceed with a rule relying on Section 206(4) anti-fraud authority, the rule should be principles- and risk-based.
A principles- and risk-based rule could also minimize the need for advisers to invest in substantial new infrastructure and reduce the harm to long-standing relationships between advisers and their service providers. We thus urge the Commission to reframe and revise the Proposed Outsourcing Rule to allow advisers to tailor their outsourcing oversight commensurate with their assessment of the level of risk of the outsourced advisory function or service. The Commission itself recently supported a principles-based approach in its final rule shortening the securities settlement cycle, under which it allows policies and procedures in lieu of the written agreement it had initially proposed, and we commend its recognition of the challenges that a prescriptive approach would have raised. A similar approach to a new outsourcing rule would allow advisers to create risk-based policies and procedures that best align with their existing business practices and service provider relationships and that are more likely to achieve effective oversight of outsourcing of Covered Functions.
For these reasons, if it moves forward, the Commission could adopt a standalone principles- and risk-based rule under Section 206(4), worded similarly to the Compliance Rule and incorporating the modifications we recommend, that directly addresses due diligence and monitoring requirements for oversight of outsourcing of Covered Functions, as we propose they be defined. A new rule could also be accompanied by guidance, as discussed in Section A above.
2. Scope of a new rule.
a. The Commission should refine and clarify the definition of Covered Function.
We are concerned that lack of clarity in the definition of Covered Function and concerns about anti-fraud liability would likely cause advisers to err on the side of being overinclusive in their determination of what constitutes a Covered Function so as not to get second guessed by the Commission in hindsight. A Covered Function could thus sweep in many functions or services not explicitly excluded. We make several recommendations below that we believe would improve this definition.
i. Any new rule should apply only to the provision of core advisory services under the Advisers Act.
The Commission should limit the scope of any final outsourcing rule to advisory services provided “under the Advisers Act” rather than “in compliance with the Federal securities laws.” The Commission asserts that “there is a risk that clients could be significantly harmed … when an adviser outsources to a service provider a function that is necessary for the provision of advisory services without appropriate adviser oversight,” and, accordingly, “[t]he proposed rule is designed to apply in the context of outsourcing core advisory functions.” Advisers provide their advisory services to clients under the regulatory framework of the Advisers Act. While advisers may also be subject to other Federal securities laws, we do not believe that their activities and obligations under those laws can fairly be characterized as “core advisory functions” of an adviser registered or required to be registered with the Commission under the Advisers Act. Any final rule should therefore be limited to core advisory services under the Advisers Act.
We also do not believe that the Commission should include the words “in compliance with” in a final rule, because of their breadth and ambiguity. We agree with Commissioner Uyeda that “[m]any functions or services that do not relate to an adviser’s investment advisory services nonetheless are necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws,” and that under a technical reading of the proposed rule text, almost any outsourced function could fall within the “Covered Function” definition. For example, legal advice, consulting services, assistance with regulatory filings (operational and otherwise), delivery of client disclosures, use of compliance software (for example, to track personal trading), and myriad other functions may be necessary for an adviser to provide its advisory services in compliance with the Advisers Act, but they cannot fairly be said to be core advisory functions.
The Commission notes that the Proposed Outsourcing Rule is intended to apply only in the context of “core advisory functions,” and the Proposal’s economic analysis concludes that, on average, advisers will have only five or six core advisory functions that are Covered Functions. The breadth of the potential application of the rule, however, calls these statements into question. We believe that replacing “in compliance with the Federal securities laws” with “under the Advisers Act” in the definition of “Covered Function” would make it easier for advisers to determine which functions are “Covered Functions,” and also help align the Proposal with its stated objective of covering a relatively small number of core advisory functions. We thus urge the Commission to make this change.
ii. The Commission should make additional changes to further refine and clarify the definition of Covered Function.
We offer the following alternative definition of Covered Function under proposed Rule 206(4)-11(b), marked to compare to the proposed definition:
Covered Function means a function or service that is directly related to and necessary for the investment adviser to provide its investment advisory services in compliance with under the Advisers Act and the rules thereunder Federal securities laws, and that, if not performed or performed negligently, the disruption or failure of which would be reasonably likely to cause a material negative impact on the adviser’s clients or on significantly disrupt the adviser’s ability to provide such investment advisory services. A covered function does not include clerical, ministerial, utility, or general office functions or services.
The first prong of the alternative definition. The first prong of the Covered Function definition is intended to assist advisers in determining what constitutes a core advisory function. As discussed above, we recommend deleting “in compliance with the Federal securities laws,” and replace that language with “under the Advisers Act.” In addition, we believe that to be a core advisory function, a function or service must not only be necessary for but also directly related to the provision of investment advisory services for it to meet the first prong. We thus recommend that the Commission add the words “directly related to and” before the word “necessary.”
The second prong of the alternative definition. We agree with the Commission that the Covered Function definition should have a materiality qualifier, because a function could be directly related to and necessary under the first prong without its disruption or failure being reasonably likely to have a material adverse impact.
However, the standard in the second prong proposed by the Commission – if the service or function is “not performed or performed negligently,” – is too vague and would be difficult to implement. While we appreciate the Commission’s effort to further qualify the proposed second prong, we believe that it would be exceedingly difficult for advisers to determine in each instance what performance by the service provider would be negligent and how such negligent performance would be likely to impact the relevant service or function. The conduct standard also may not be relevant to whether failure or disruption would materially impair an adviser’s ability to provide its advisory services.
While the analysis would still be based on facts-and-circumstances, we believe that our recommended modifications to the definition should provide greater clarity to advisers and better align with the Commission’s determination that the Covered Function definition should be targeted to a relatively small number of Covered Functions.
b. The Commission should exclude certain categories of service providers from the definition of Service Provider.
The proposed definition of Service Provider is unrealistically broad, reaching service providers where any marginal benefits from their inclusion would be substantially outweighed by the costs to advisers. We recommend that the Commission exclude certain categories of service providers from the definition because they are already subject to robust financial services regulation and generally do not raise the concerns underpinning the proposed definition.
Specifically, we recommend exclusion of:
i. Affiliated service providers operating under a shared services or similar model.
The IAA requests that the Commission carve out affiliated service providers under a shared services or similar model from the definition of Service Provider. The Proposed Outsourcing Rule does not distinguish between affiliated and unaffiliated third-party service providers, based on the Commission’s belief that “the risks that the proposed rule are designed to address exist whether the service provider is affiliated or unaffiliated, and the service provider is not necessarily already being overseen by the adviser.” In our view, these concerns do not apply in the context of an adviser operating under a shared services or similar model.
Large asset management firms frequently have centralized groups (e.g., regulatory compliance, trading desk, investment risk, valuation, client services, account administration, technology support, etc.) that provide support and services to several advisers in the same corporate family. Typically, under this arrangement, a central affiliated entity performs certain core advisory functions and/or support functions for a group of affiliated advisers. Using this model, advisers can optimize costs, promote a standard approach to risk management, and achieve greater efficiencies by centralizing the provision of these services in one affiliated entity that serves the entire group of affiliates rather than individually shouldering the expenses and burdens associated with performing those functions on their own behalf.
The affiliated entity that performs core advisory functions under a shared services model generally does not make these same services available to the broader marketplace. Typically, this is an internal arrangement between two or more affiliated entities. While advisers may be legally separate from an affiliated entity that performs certain advisory functions on their behalf, in reality, these affiliated service providers function as a closely integrated part of each adviser’s operations.
ii. Service Providers regulated by the Commission or another Federal financial regulator.
We recommend that the Commission exclude entities regulated by the Commission or another Federal financial regulator from the definition of Service Provider. These entities already have their own extensive regulatory and compliance obligations with respect to the services they provide, and their services thus generally do not raise the same level of risk as those provided by entities not subject to this regulatory oversight. Extending an outsourcing rule to these regulated entities would also be duplicative of and potentially inconsistent with other regulatory requirements.
If the Commission does not accept this recommendation, at a minimum we urge it to exclude SEC-registered advisers – whether retained as sub-advisers or in another capacity – custodians, broker-dealers, wrap fee program sponsors, commodity pool operators, and commodity trading advisors.
iii. Service Providers to registered funds.
Service Providers to registered funds, which are retained to perform Covered Functions pursuant to Investment Company Act Rule 38a-1 or Section 15(c) should also be excluded from the definition of Service Provider. The Commission acknowledges that fund boards would be responsible for oversight of fund service providers. It notes that if these service providers are engaged by the adviser to service its mutual fund clients, then there may be potential for overlap between the Proposed Outsourcing Rule and Rule 38a-1. We believe that the overlap would be significant and that it is not necessary to extend an outsourcing rule to these entities.
We ask that the Commission confirm that all custodians are excluded from the definition of Service Provider. As noted above, advisers are not permitted to custody client funds and securities themselves (in their capacity as advisers). Moreover, as the Proposal recognizes, it is the client, and not the adviser, that selects and ultimately contracts directly with the custodian to provide it with custody services, and the adviser has no privity of contract with the custodian with respect to that agreement. The adviser thus should not be viewed as having “retained” the custodian with respect to these clients. Finally, the Commission has proposed sweeping changes to the current Custody Rule and we believe that it should consider all issues relating to custodians together to avoid inconsistencies and unintended consequences.
3. Due diligence and monitoring requirements under a new rule.
a. Due diligence requirements should be risk-based, include a reasonableness standard, and allow for flexibility.
We urge the Commission to include in any rule text that due diligence must be risk-based and include a standard of reasonableness in the adviser’s performance of its due diligence obligations.
We appreciate that the Proposed Outsourcing Rule “is intended to allow registrants to tailor their due diligence practices to fit the nature, scope, and risk profile of a covered function and potential service provider,” and that it includes an element of reasonableness in that the adviser must “reasonably identif[y], and determine that it would be appropriate” both to outsource the Covered Function and to select the Service Provider. However, the six proposed due diligence obligations imposed on an adviser essentially operate as strict liability requirements because an adviser would be required to follow the exact contours of each requirement before it would be permitted to outsource a Covered Function. Under the proposed rule, the standard for “reasonably” identifying, and determining that outsourcing would be “appropriate,” would require advisers to satisfy each of the six prescribed requirements, regardless of whether the requirements are even feasible for the adviser or whether alternative, more tailored, approaches would also be effective. We strongly believe that the prescriptive nature of the proposed due diligence provisions will likely, in many cases, put advisers in an impossible situation of not being able to meet the requirements and, as a result, having to make outsourcing decisions, such as bringing the function in-house, that may not be in the best interest of investors. It is also likely to cause significant disruption to existing outsourcing oversight, which is not necessary to achieve the Commission’s stated objective of effective oversight.
Accordingly, we recommend that the Commission reframe proposed Rule 206(4)-11(a)(1) as follows, marked to compare to the proposed definition:
Due diligence. Before engaging such Service Provider to perform a Covered Function, the adviser reasonably identifies, and conducts due diligence commensurate with the levels of risk and complexity of the Covered Function and the Service Provider, and the exigency of the circumstances, such that the adviser can reasonably determines that it would be appropriate to: (i) outsource the Covered Function and (ii) select that Service Provider, by:
We do not believe that the rule text, as modified, needs to include any of the proposed due diligence requirements for it to be effective, but we would not object to certain of them, as discussed below.
Proposed due diligence requirements (i) – (iii). The first three proposed due diligence elements require an adviser to: (i) identify the nature and scope of the Covered Function the Service Provider is to perform; (ii) identify and determine how it would mitigate and manage the potential risks to clients or to the adviser’s ability to perform its advisory services resulting from engaging a Service Provider to perform the Covered Function and engaging that Service Provider to perform the Covered Function; and (iii) determine that the Service Provider has the competence, capacity, and resources necessary to perform the Covered Function in a timely and effective manner.
If the framework around these three elements were principles- and risk-based and consistent with the rule text we offer above, we believe, with one important modification, that it would be reasonable for the Commission to require that advisers consider elements (i) through (iii) in their due diligence processes, whether in guidance or rule text. For example, the Commission could add the following to the end of the modified text we offer above for Rule 206(4)-11(a)(1):
The adviser should consider the following elements when assessing outsourcing risks:
The modification we suggest would be to add a materiality qualifier to element (ii). We are concerned that as proposed, that element would require an adviser to identify and determine how it would mitigate and manage any potential risks to clients or to the adviser’s ability to perform its advisory services, regardless of whether they are material. Consistent with the Commission’s view that the Covered Function definition should have a materiality qualifier, we believe that an adviser should be expected to mitigate and manage the material risks to its clients or the ability to perform its advisory services.
Proposed due diligence requirement (iv). The fourth proposed due diligence element would require advisers to determine whether a Service Provider has any subcontracting arrangements that would be material to its performance of the outsourced Covered Function and how the adviser would mitigate and manage potential risks in light of these arrangements.
We strongly recommend that this requirement be excluded from any final rule. A prescriptive requirement to obtain this information is unrealistic. It would be challenging for advisers of all sizes, but smaller advisers in particular, to obtain specific information about subcontracting arrangements, especially from larger Service Providers and Service Providers whose client base is broader than the financial services industry. We understand that the degree to which and level of detail that Service Providers provide advisers transparency into their specific subcontracting arrangements vary widely and may depend on several factors over which the adviser has no control or leverage.
We believe it would be more effective for advisers to factor in any potential material risks arising from the Service Provider’s sub-contractor relationships and consider how to manage those risks appropriately, based on the particular facts and circumstances, including the level of transparency. The modified rule text we offer above would provide an appropriate framework for this assessment.
Proposed due diligence requirements (v) and (vi). Proposed due diligence elements (v) and (vi) require that advisers obtain “reasonable assurance” from Service Providers as to certain specific undertakings related to compliance and orderly termination. We urge the Commission to exclude these requirements from any final rule as well.
The proposed requirements may not be practicable for most advisers and are not feasible for others. Advisers – and smaller advisers in particular – generally have little or no negotiating power with respect to Service Providers, and the leverage of all advisers, regardless of size, is especially constrained with respect to larger Service Providers. We believe that it is highly unlikely that Service Providers would agree to provide the required assurances, even to the largest and most well-resourced advisers.
When an adviser is unable to obtain the required assurances, it would be forced to look for a different Service Provider that may not have the same level of sophistication or offer affordable or as favorable terms as the original Service Provider – assuming other Service Providers were available to take on the Covered Function – or in-source the function, potentially in an area in which the adviser may have neither the infrastructure nor the expertise to do so effectively. None of these outcomes would serve the Commission’s investor protection goals and could result in advisers being excluded from engaging the most appropriate Service Provider for the particular Covered Function.
b. Due diligence requirements should include reasonable exceptions.
Allow for emergency exceptions to Service Provider due diligence. The Commission should provide certain exceptions to the requirement that all due diligence must be performed before a Covered Function may be outsourced. For example, in the event of an exigent circumstance with an existing Service Provider or a new Service Provider engagement, e.g., where the adviser identifies a material negative impact, or where performing a specific Covered Function is urgent, the adviser should be given the flexibility to perform as much due diligence as is reasonable under the circumstances and then complete its due diligence once the exigent circumstance has passed. We have included the ability for an adviser to consider exigent circumstances in the alternative rule text offered above.
Do not require third-party oversight of Service Providers. The Proposal asks whether the Commission should require advisers to obtain third-party experts, audits, and/or other assistance to oversee a Service Provider when the adviser is outsourcing a Covered Function that is highly technical, or the oversight requires expertise or data that the adviser lacks. In our view, such a requirement is unwarranted and unnecessarily burdensome for advisers.
It is not clear how an adviser would determine which Covered Functions need additional oversight and who would oversee the third party conducting that additional oversight. Further, such engagement would likely result in additional layers of expense that would be cost-prohibitive with marginal potential benefits.
c. Advisers’ monitoring processes should be tailored to the ongoing business of the adviser and its clients.
We appreciate that the Proposed Outsourcing Rule does not prescribe the frequency or manner in which advisers should conduct monitoring of their Service Providers, and we agree with the Commission’s statement that “the manner and frequency of an adviser’s monitoring would depend on the facts and circumstances applicable to the covered function, such as the materiality and criticality of the outsourced function to the ongoing business of the adviser and its clients.”
However, for the reasons discussed above, we do not agree that ongoing monitoring must include the six prescribed due diligence requirements. Instead, advisers should be allowed to tailor monitoring policies and procedures to their particular facts and circumstances. If the Commission decides to include monitoring requirements in a final rule, we offer the following modifications to proposed Rule 206(4)-11(a)(2):
Monitoring. The adviser periodically monitors the Service Provider’s performance of the Covered Function and reassesses the retention of the Service Provider in accordance with the due diligence requirements of paragraph (a)(1) of this section and with a manner and frequency such that the investment adviser reasonably determines that it is appropriate to continue to outsource the Covered Function and that it remains appropriate to outsource it to the Service Provider.
C. Recommendations relating to proposed amendments to Form ADV Part 1A.
Inclusion of Covered Function categories. The Proposal would amend Form ADV Part 1A (ADV 1A) to list 13 specific Covered Function categories, plus one catch-all category, noting that “the non-exhaustive list of categories is intended to encompass those services or functions that may be commonly outsourced and could fall within the definition of a covered function.” We recommend against including these categories in ADV 1A and suggest instead that the Form require advisers to identify their Covered Functions, based on their principles- and risk-based assessment discussed above.
Confidentiality of Service Provider information. While an adviser’s responses to ADV 1A are available to the public through the Commission’s website, they are not delivered directly to clients or prospective clients, and they are not necessarily written in a manner designed to be meaningful to clients or prospective clients. Rather, ADV 1A is used by the Commission for regulatory purposes and it collects the information that it has identified as important for its examination program and other regulatory functions. To the extent the Commission would find the proposed information useful for its regulatory purposes, that goal can be achieved through confidential, nonpublic reporting.
Further, we strongly disagree with a requirement to make public disclosure of confidential Service Provider arrangements. Such disclosure would likely raise significant concerns regarding confidentiality, release of proprietary information, and effects on competition that are not justified by the potential benefits of public disclosure. For example, contractual agreements with Service Providers typically have strict provisions addressing the disclosure of the engagement and use of the Service Provider’s name and logo, among other restrictions. A Service Provider’s business relationships – what the Service Provider does and for whom – can be highly sensitive competitive information.
Public disclosure of this information would also raise significant risks of a cybersecurity incident impacting the adviser and Service Provider since threat actors would have an accessible trove of information they can aggregate, manipulate, and use to target their attacks. These risks far outweigh any marginal benefit the Commission sees from public disclosure. For these reasons, we urge the Commission to remove provisions requiring the public reporting of this information.
D. Comments and recommendations relating to proposed changes to the Recordkeeping Rule.
1. Advisers’ recordkeeping obligations should be based on risk-based due diligence.
The proposed amendments to the Recordkeeping Rule would require advisers to maintain a list or other record of outsourced Covered Functions, including the name of each Service Provider, along with a record of the factors, corresponding to each listed function, that led the adviser to list it as a Covered Function. While we do not oppose the creation of a list that would provide information related to Service Providers and the Covered Functions they perform, we oppose a specific requirement to list factors corresponding to each Covered Function, as overly prescriptive, unnecessarily burdensome, and redundant.
We believe the Commission can achieve its recordkeeping objectives without a prescriptive mandate. Therefore, we suggest the following marked revision to proposed Rule 204-2(a)(24)(i):
(i) A list or other record of Covered Functions that the adviser has outsourced to a Service Provider, as defined in §275.206(4)-11, including the name of each Service Provider and the Covered Functions it performs for the investment adviser, along with a record of the factors, corresponding to each listed function, that led the adviser to list it as a Covered Function;
In addition, and premised on the Commission’s acceptance of our recommendations relating to an adviser’s due diligence obligations, we propose the following revisions to proposed Rule 204-2(a)(24)(ii) and (iii):
(ii) Records documenting the due diligence assessment conducted pursuant to §275.206(4)-11 and any related, including any policies and procedures or other documentation as to how the adviser will comply with §275.206(4)-11(a)(1)(ii);
(iii)A copy of any written agreement, including any material final amendments, appendices, exhibits, and attachments, entered into with a Service Provider regarding Covered Functions, each as defined in §275.206(4)-11;
We understand that there can be a very large number of appendices, exhibits, and attachments to service provider agreements, many of which are not material. We believe that it would be extremely cumbersome and add little value for advisers to retain all these records, and that it is more reasonable to require that records be kept of material and final changes to agreements.
strong>Advisers should be able to have reasonably designed policies and procedures to address outsourced recordkeeping.
Advisers are already required to maintain books and records under the Recordkeeping Rule and to adopt policies and procedures to ensure compliance with the rule and would need to conduct risk-appropriate due diligence, monitoring, and oversight whenever the recordkeeping function is outsourced to meet their fiduciary duty with respect to such services. As such, the prescriptive recordkeeping requirements should be replaced with a more principles-based approach. As noted above, the Commission itself recently supported a similar policy with respect to its final rule shortening the securities settlement cycle. This principles-based approach will allow advisers to create policies and procedures that best align with their existing business practices and recordkeeping service provider relationships.
We also do not believe that the Commission should include a requirement that it must have direct access to an outsourced recordkeeper’s records to ensure that they are being properly kept and can be timely produced. As the Commission notes in the Proposal, recordkeeping obligations under the Advisers Act belong to the adviser, not the outsourced recordkeeper. Thus, the proposed requirement that these recordkeepers should themselves provide the Commission staff with access to records at any time is unwarranted and unnecessary.
This aspect of the Proposal is also deeply problematic because it attempts to reach and gain access to the systems of entities over which the Commission has no jurisdiction. It is and should continue to be the responsibility of the adviser – the regulated entity subject to the recordkeeping requirements – to be able to obtain and itself provide such records to the Commission in a timely manner.
Additionally, by requiring advisers to perform the required due diligence and monitoring over outsourced recordkeepers, “in each case as though the recordkeeping function were a Covered Function as defined in §275.206(4)-11(b) and the third party were a Service Provider as defined in §275.206(4)-11(b)”, all outsourced recordkeepers would in effect be subject to the broad prescriptive anti-fraud outsourcing rule for every recordkeeping function, regardless of what it relates to. We do not believe this is either necessary or appropriate.
Based on the discussion above, we recommend the modifications below that are marked to compare to proposed Rule 204-2(a)(24)(l). These modifications are also premised on the Commission’s adopting our recommended rule text for proposed Rules 206(4)-11(a)(1) and (a)(2).
(l) Every investment adviser subject to paragraph (a) of this section that relies on a third party to make and/or keep any books and records required by this section (the recordkeeping function) must:
(1) Due diligence and monitoring. Perform due diligence and monitoring as prescribed in §275.206(4)-11(a)(1) and (a)(2) with respect to the recordkeeping function, and make and keep such records as prescribed in paragraph (a)(24) of this section, in each case as though the recordkeeping function were a Covered Function as defined in §275.206(4)-11(b) and the third party were a Service Provider as defined in §275.206(4)-11(b); and
(2) Obtain reasonable assurances Adopt and implement policies and procedures reasonably designed to ensure that the third-party service provider that is performing the recordkeeping function that the third party will:
(i) Adopt and implement internal processes and/or systems Has internal systems for making and/or keeping records on behalf of the investment adviser that meet all of the requirements of this section as applicable to the investment adviser;
(ii) Will make Make and/or keep records of the investment adviser that meet all of the requirements of this section as applicable to the investment adviser;
(iii) For electronic records of the investment adviser that are made and/or kept by the third party under this subparagraph, will allow the investment adviser and staff of the Commission to access the records easily through computers or systems during the required retention period pursuant to this section; and
(iv) Will make Make arrangements reasonably acceptable to the Commission or its staff to ensure the continued availability of records of the investment adviser that are made and/or kept under this subparagraph by the third party that will meet all of the requirements of this section as applicable to the investment adviser in the event that the third party ceases operations or the relationship with the investment adviser is terminated.
E. A longer transition period is required to prevent disruption to advisers’ Service Provider and client relationships.
As discussed in the IAA Initial Letter, we believe that the Commission severely underestimates the costs and burdens that would be imposed on advisers, particularly smaller advisers, by the Proposed Outsourcing Rule and Proposed Recordkeeping Amendments, and it should undertake a more expansive, accurate, and quantifiable assessment of the specific and cumulative costs, burdens, and economic effects that would be placed on advisers, as well as of the potential unintended consequences for their clients.
It is incumbent on the Commission to consider, in particular, ways to ease the burdens of such a broad new rule on smaller advisers, especially if the Commission does not accept our recommendations to refine the Proposal. Smaller advisers have been significantly burdened by one-size-fits-all regulations – both in isolation and cumulatively – that effectively require substantial fixed investments in infrastructure, personnel, technology, and operations. We are concerned that these stressors and barriers will impact smaller advisers’ business models and lead to industry consolidation, which could have a significant impact on their clients. We urge the Commission to conduct a more realistic analysis of the impact that proposed regulations would have on smaller advisers.
Performing the required analysis to determine which functions are Covered Functions and then conducting each of the new prescriptive requirements – including reviewing and renegotiating complex Service Provider arrangements, evaluating the need to change or engage new Service Providers or to bring a Covered Function in-house and then undertaking the work to perform that function, and developing the basis and processes for new reporting and recordkeeping obligations – will be significant undertakings for all advisers. In addition, Service Providers with more than a few adviser clients will be working to adapt to the requirements for numerous advisers, and such a short timeframe for compliance will risk disruption and instability across the network of advisers and Service Providers.
The proposed transition period should be staggered and extended to 18 months for larger firms and 24 months for smaller firms. The Proposed Outsourcing Rule provides a wholly unreasonable 10-month transition period for all advisers that in fact would substantially raise the risks that the Proposal seeks to prevent. It would not be nearly enough time for advisers to get ready for the final outsourcing rule and related amendments and align current practices with the new regulatory requirements.
The proposed compliance runway of 10 months is far too short even if the Commission adopts our recommended changes. In any event, advisers will need to holistically reassess their current service provider infrastructure, re-evaluate their current practices in light of any new requirements and guidance, prepare for new Form ADV reporting, create and implement modified written outsourcing oversight policies and procedures and recordkeeping requirements, and work with their Service Providers to implement any changes.
At the very least, if the Commission moves forward with the Proposal, it should provide a more reasonable compliance period that should include a longer time to transition for smaller advisers. We urge the Commission to provide a compliance period of at least 18 months for larger advisers and 24 months for smaller advisers.
In addition to providing smaller advisers with more time, a staggered runway would provide Service Providers more flexibility to work with smaller and larger advisers in a phased approach on implementing any required changes. Smaller advisers may then be able to leverage Service Provider due diligence reporting that has been developed for larger advisers with an earlier compliance date.
F. The Commission should formally reopen the comment period.
As noted, we are submitting this Supplemental Letter outside of the official comment period. We again urge the Commission to reopen the comment period to allow all interested parties to provide feedback on how this and multiple subsequent proposals interact with each other while imposing new requirements in related areas. Effective rulemaking requires that stakeholders have a reasonable opportunity to analyze complex rule proposals and their potential impacts before the Commission moves ahead with a final rule. We urge the Commission to signal to market participants and the public at large that it is open to receiving additional feedback as part of the formal comment process to make the process more effective.
The Commission has issued the Proposed Outsourcing Rule while numerous related regulatory initiatives are pending, including the Cybersecurity, Safeguarding, and Regulation S-P proposals. However, the Commission does not address how these proposals may overlap or interact with one another. Rules interact in myriad ways, and the Commission has neither identified nor provided any guidance on how advisers should address overlapping, duplicative, or even inconsistent requirements.
The following example demonstrates the complexity of the interrelationships among the various rule proposals and highlights the challenges commenters are facing in trying to address the potential implications of each proposal, especially in the short time provided by the Commission. The Proposal appears to intend to exclude custodians because it is the client, not the adviser, that selects and ultimately contracts with the custodian. However, the Safeguarding Proposal would require contractual privity between the adviser and the custodian the client has selected, which raises the question of whether that custodial relationship would now be subject to the Proposed Outsourcing Rule despite the Commission’s stated intent in the Proposal not to include these relationships.
We appreciate the Commission’s reopening of the Cybersecurity Proposal to allow interested parties additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission should consider. We believe that the same reasoning applies to our request to re-open the Proposal.
* * *
We appreciate the Commission’s consideration of the IAA’s supplemental comments and would be happy to provide any additional information that may be helpful. Please contact the undersigned at (202) 293-4222 if we can be of further assistance.
Gail C. Bernstein
Dianne M. Descoteaux
Associate General Counsel
The Honorable Gary Gensler, Chair
The Honorable Hester M. Peirce, Commissioner
The Honorable Caroline A. Crenshaw, Commissioner
The Honorable Mark T. Uyeda, Commissioner
The Honorable Jaime Lizárraga, Commissioner
William A. Birdthistle, Director, Division of Investment Management
 The IAA is the leading organization dedicated to advancing the interests of investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. The IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.
 Outsourcing by Investment Advisers, 87 Fed. Reg. 68816 (Nov. 16, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-11-16/pdf/2022-23694.pdf (Proposal). The Proposal comprises proposed Rule 206(4)-11 (Proposed Outsourcing Rule), and proposed amendments to the Advisers Act Recordkeeping Rule (Rule 204-2) (Proposed Recordkeeping Amendments) and Form ADV (Proposed ADV Amendments).
 The short comment period for the Proposal and holiday deadline did not provide an appropriate amount of time to engage fully with our members and conduct the in-depth review of the ecosystem of investment advisers and their service providers required to evaluate and comment thoroughly on the Proposal. We restate our concerns that the short comment periods now routinely provided by the Commission make it extremely challenging for commenters, including the IAA, to provide extensive and meaningful responses.
 The Proposal notes that the Commission’s objectives include the reduction of enumerated perceived harms associated with adviser outsourcing and the enhancement of the Commission’s visibility into outsourcing practices. See Proposal at 68818-19.
 See Letter from Gail C. Bernstein, General Counsel, Investment Adviser Association, to the Commission re: Outsourcing by Investment Advisers (Dec. 23, 2022), available at https://investmentadviser.org/resources/iaa-letter-to-sec-on-service-provider-outsourcing/ (IAA Initial Letter). The IAA Initial Letter includes a discussion of our general views on the Proposal, which are incorporated here.
 The median number of non-clerical employees of SEC-registered investment advisers was eight at the end of 2021, with 58 percent of SEC-registered advisers having fewer than 10 non-clerical employees and 88.1 percent having fewer than 50 non-clerical employees. See IAA-NRS Investment Adviser Industry Snapshot 2022 (June 2022), available at https://investmentadviser.org/wp-content/uploads/2022/06/Snapshot2022.pdf.
 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (Mar. 9, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-03-09/pdf/2022-03145.pdf (Cybersecurity Proposal).
 Safeguarding Advisory Client Assets, 88 Fed. Reg. 14672 (Mar. 9, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-09/pdf/2023-03681.pdf (Safeguarding Proposal).
 Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 88 Fed. Reg. 20616 (Apr. 6, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-04-06/pdf/2023-05774.pdf (Regulation S-P Proposal).
 Proposal at 68817.
 Proposal at 68819.
 See Commission Interpretation Regarding Standard of Conduct for Investment Advisers, Rel. No. IA-5248, 84 Fed. Reg. 33669, 33672 (July 12, 2019).
 By using the term “risk assessment,” we are not suggesting any prescribed structure or methodology for advisers to follow, and we emphasize our view that advisers should be able to approach this risk assessment in different ways. For example, they could incorporate it into an existing Enterprise Risk Management (ERM) program or a narrower Third-Party Risk Management (TPRM) program or Vendor Management Program (VRM), either of which may or may not be enterprise wide. They could also integrate third-party service provider management into each individual topic area, or develop a risk program targeted only at their core advisory functions. In addition, different types and degrees of risk could call for different approaches. See, e.g., Regulatory Notice 21-29, FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors, available at https://www.finra.org/rules-guidance/notices/21-29 (“Firms may wish to evaluate … in the context of a risk-based approach to Vendor management in which the breadth and depth of their due diligence and oversight may vary based on the activity or function outsourced to a Vendor.”).
 As discussed in the IAA Initial Letter, we believe that a finding of an anti-fraud violation is an unfairly severe consequence for inadvertent, technical, or good faith failures to comply with the proposed prescriptive requirements. A principles-based rule would allow the Commission to not consider an adviser’s assessment of whether a function or service is a Covered Function as a rule violation unless it is shown that the assessment was made without a reasonable basis or not in good faith. Similarly, it would allow the Commission to not consider a technical failure to satisfy all elements of the due diligence and monitoring requirements as a rule violation when the adviser acted in good faith. The Commission would, of course, retain the authority to bring enforcement actions where an adviser’s risk-based oversight is deficient.
To provide clarity to advisers, we recommend that the Commission include these points in the Adopting Release. We also ask the Commission to confirm that, while the adviser remains ultimately responsible for performance of the outsourced function, the Commission would not read the rule as limiting an adviser’s contractual rights against the service provider or as potentially extending to the adviser any liability the service provider may have to third parties resulting from failures by the service provider.
 In the recently adopted final rule for shortening the settlement cycle, the Commission stated that “the Commission generally agrees that requiring policies and procedures as an alternative approach to compliance, separate from entering into written agreements, provides broker-dealers with more flexibility to achieve same-day affirmation” and that it is “providing broker-dealers with this discretion under the rule to allow broker-dealers to select the approach that best aligns with their existing business practices and customer relationships.” See Shortening the Securities Transaction Settlement Cycle, 88 Fed. Reg. 13872, 13893-13894 (Mar. 6, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-06/pdf/2023-03566.pdf.
 This caution could lead advisers to view as Covered Functions many functions that are not themselves core advisory functions, but that are important to the provision of advisory services or to the operation of the business in a way that enables advisers to provide advisory services, for example, licensing use of CUSIP numbers or Bloomberg terminals, use of data analytics or other technology tools, or consulting services.
 Proposal at 68817.
 Proposal at 68824, Q. 5.
 See Commissioner Mark T. Uyeda, Statement on Proposed Rule Regarding Outsourcing by Investment Advisers (Oct. 26, 2022), available at https://www.sec.gov/news/statement/uyeda-statement-service-providers-oversight-102622.
 Proposal at 68822.
 See id. at 68855 (“We estimate … five covered functions per adviser”), and 68867 (“we estimate that each adviser would outsource an average of six covered functions”).
 Proposal at 68830.
 See supra note 17 for examples of functions that could be considered covered under the proposed definition but should not be viewed as “directly related to and necessary for” the provision of advisory services under our suggested alternative.
 Proposal at 68823.
 We also discuss custodians separately below because we believe they raise unique concerns under the Proposal.
 We note that custodians and broker-dealers perform functions that advisers are not themselves permitted to perform as advisers and, unless they are dual-registrants, would need to rely on another entity to perform. It is thus difficult to see how advisers should “determine that it would be appropriate to outsource the Covered Function,” as proposed Rule 206(4)-11(a) would require.
 Proposal at 68875.
 The Proposal indicates that it does not intend to include custodians, see Proposal at 68843, n. 103 (“custodians … are not within the scope of the rule”), but other language is less clear. See id. at 68821 (“custodians that are independently selected and retained through a written agreement directly with the client would not be covered by the proposed rule because the adviser is not retaining the service provider to perform a function that is necessary for the adviser to provide its advisory services.”).
 The proposed Safeguarding Client Assets Rule, if adopted as drafted, would have significant unintended consequences for the treatment of custodians under the Proposal since every adviser with discretionary authority would have to have a contract with every custodian used by its clients, thereby rendering any exclusion of custodians in the Proposal meaningless. The Commission should thus confirm that custodians are excluded from any final outsourcing rule and address issues relating to custodians in the Safeguarding Proposal.
 Proposal at 68820.
 See Proposal at 68821 (“We believe it is contrary to the public interest and investor protection if the adviser then outsources covered functions without effectively overseeing those outsourced functions. Accordingly, an adviser should be overseeing outsourced functions to ensure the adviser’s legal obligations are continuing to be met despite the adviser not performing those functions itself.”).
 Proposed Rule 206(4)-11(a)(1)(i)-(iii).
 We note that an outsourced function could be a Covered Function without every risk associated with that function being material.
 Proposed Rule 206(4)-11(a)(1)(iv).
 Proposed Rule 206(4)-11(a)(1)(v)-(vi).
 We also question whether requiring every adviser to obtain these assurances would add any value, given that all advisers using the same Service Provider would be seeking the same assurances and merely duplicating one another’s diligence.
 Proposal at 68832, Q. 32.
 Proposal at 68833.
 Proposal at 68835.
 Commission, Investment Adviser Public Disclosure, https://adviserinfo.sec.gov/.
 ADV 1A disclosures are designed to improve the depth and quality of information that the Commission collects on investment advisers, facilitate risk monitoring initiatives, and assist Commission staff in its risk-based examination program. See Form ADV and Investment Advisers Act Rules, 81 Fed. Reg. 60418 (Sept. 1, 2016), available at https://www.govinfo.gov/content/pkg/FR-2016-09-01/pdf/2016-20832.pdf.
 With respect to confidential treatment, the Commission could treat this as information that is visible only to the Commission, similar to the treatment of Chief Compliance Officer information on Form ADV and information filed on Form PF. Under Section 204(b)(10) of the Advisers Act, as adopted by the Dodd-Frank Act, the Commission is expressly limited from disclosing publicly an investment adviser’s “proprietary information” in Form PF filings. In adopting Form PF, the Commission recognized the importance of protecting this information, determining not to adopt certain questions on Form ADV in response to commenter concerns that “they would result in the public disclosure of competitively sensitive or proprietary information.” Reporting by Investment Advisers to Private Funds and Certain Commodity Pool Operators and Commodity Trading Advisors on Form PF, 76 Fed. Reg. 71128, 71145 (Nov. 16, 2011), available at https://www.govinfo.gov/content/pkg/FR-2011-11-16/pdf/2011-28549.pdf. The same rationale applies here.
 As an example, while use of certain cloud providers (e.g., Amazon Web Services) is ubiquitous, there are a handful of critical cybersecurity providers. To the extent that public disclosure of such providers could provide a roadmap for bad actors, the potential negative impacts would be tremendous, with the risks vastly outweighing any potential benefit of public disclosure.
 See Shortening the Securities Transaction Settlement Cycle, supra note 16.
 We note that the current Recordkeeping Rule requires advisers to provide Commission staff “means to access, view, and print the records,” and does not require advisers essentially to force their third-party recordkeepers to open their records directly to the Commission. See Rule 204-2(g)(2).
 For example, as we noted earlier, the Commission’s economic analysis assumes that, on average, advisers will have no more than five or six Covered Functions. The Proposal also provides wholly unrealistic estimates of how long it will take advisers to meet the extensive proposed due diligence, monitoring, and recordkeeping requirements, especially in light of the heightened anti-fraud risk.
 The IAA again urges the Commission to consider regulation holistically and assess the cumulative impact of regulation on investment advisory firms of all sizes, particularly on smaller advisory firms. It is incumbent upon the Commission to conduct robust cost-benefit analyses, not only of each regulatory proposal in isolation, but of their cumulative effects on advisers, their clients, and the financial services landscape more broadly. Executive Order 13563, “Improving Regulation and Regulatory Review” issued in 2011, which is supplemental to and reaffirms the principles in Executive Order 12866, “Regulatory Planning and Review,” requires agencies to “tailor [their] regulations to impose the least burden on society, consistent with obtaining regulatory objectives, taking into account, among other things, and to the extent practicable, the costs of cumulative regulations.” (emphasis added)
There can be no doubt that the costs of compliance – direct and indirect – rise with each regulation and directly impact the resources advisers have to invest in other aspects of their businesses, including the resources available for client-facing efforts. We recognize that as an independent regulatory agency, the Commission is not legally bound by the requirements in Executive Orders 12866 and 13563. However, the Commission has long recognized “that these principles represent accepted standards of good practice in conducting rulemaking proceedings.” See, e.g., Commission, Office of the Inspector General, Rulemaking Process, Audit No. 347 (July 12, 2002), available at https://www.sec.gov/about/oig/audit/347fin.htm.
 See supra note 6.
 The transition for advisers and Service Providers will be especially burdensome if, as part of the monitoring requirement, advisers will need to undertake the same obligations with respect to their existing outsourcing arrangements. Question 84 in the Proposal states that, “[u]nder our current proposal, all current applicable adviser engagements with service providers would fall within the purview of the proposed rule and would be subject to the due diligence and monitoring requirements as outlined within the proposal as of the compliance date. We understand that this requirement may result in advisers having to revisit existing arrangements with service providers to review for compliance and perhaps even requiring advisers to amend current contracts to satisfy the requirements of the proposed rule.” Proposal at 68841.
 We appreciate that the Commission has proposed a staggered compliance date for smaller advisers in its recent Safeguarding Proposal. Specifically, the Commission provides that the compliance date would be one year following the rule’s effective date for advisers with more than $1 billion in regulatory assets under management (RAUM) and 18 months for advisers with up to $1 billion in RAUM. See Safeguarding Proposal, supra note 8. We urge the Commission to follow this approach in all of its rulemakings.
 We note that, in response to public comments, the Commission extended the proposed one-year compliance period for Rule 206(4)-1, the Marketing Rule, to 18 months. See Investment Adviser Marketing, 86 Fed. Reg. 13024, 13092 (Mar. 5, 2021), available at https://www.govinfo.gov/content/pkg/FR-2021-03-05/pdf/2020-28868.pdf. The Commission also granted a two-year grandfathering provision for existing service agreements in the Regulation S-P final rule. 17 CFR. § 248.18(c).
 The Department of Labor (DOL) recently announced it was reopening the comment period for the proposed amendment to the so-called “QPAM Exemption,” following a request from a group wanting to submit a response but not being able to obtain member approval before the comment deadline. Reopening Comment Period for the Proposed Amendment to Prohibited Transaction Class Exemption 84-14 (the QPAM Exemption), 88 Fed. Reg. 17466 (Mar. 23, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-23/pdf/2023-05522.pdf. After the group asked the DOL whether it could submit a comment late or otherwise informally respond, the DOL, rather than declining to include the comment in the record, decided that the best course of action was to reopen the comment period so it could receive the group’s comment while providing an opportunity for other interested parties to comment and provide additional information on the proposed amendment. See Letter from the DOL to the American Benefits Council, Proposed Amendment to Prohibited Transaction Class Exemption 84-14 (“the QPAM Exemption”) (Mar. 24, 2023), available at https://www.dol.gov/sites/dolgov/files/EBSA/laws-and-regulations/rules-and-regulations/public-comments/reopened-comment-period/ebsa-response-00001.pdf. See also Office of the Federal Register, A Guide to the Rulemaking Process (Jan. 2011), available at https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf (“an agency may find that people have raised new issues in their comments that were not discussed in the initial proposed rule” and “[a]fter the comment period closes, an agency may establish a second period for reply comments … The reply comment period enables people to respond to comments that agencies received at the end of comment period, creating more of a public dialog[ue].”). The Commission should ensure comment periods are “designed to promote equitable and meaningful participation by a range of interested or affected parties,” because “[t]he regulatory process benefits from broad public participation … permitting agencies to consider a range of relevant views on regulatory actions.” Implementation of Modernizing Regulatory Review Executive Order (Apr. 6, 2023), available at https://www.whitehouse.gov/wp-content/uploads/2023/04/ModernizingEOImplementation.pdf.
 We are not alone in our concern. Indeed, the Antitrust Division of the U.S. Department of Justice submitted a comment letter to the Commission on April 11, in response to proposed rules relating to market structure changes, calling on the Commission to “carefully consider potential interactions among the Proposed Rules when preparing their final versions, planning for the rules’ implementation timelines, and evaluating the actual effects of the rules once they go into effect. In particular, the Antitrust Division urges the Commission to ensure that the final rules, taken together, preserve the benefits to competition identified by the Commission in each of the rules’ proposals.” Comment of the Antitrust Division of the United States Department of Justice on File Nos. S7-29-22; S7-30-22; S7-31-22; and S7-32-22 (Apr. 11, 2023), available at https://www.sec.gov/comments/s7-29-22/s72922-20164065-334011.pdf.
 See Proposal at 68822.
 Safeguarding Proposal at 14690. This example, also discussed in note 30 in connection with the exclusion of custodians from the Service Provider definition, demonstrates the complexity of the interrelationships among the various rule proposals and highlights the challenges commenters are facing in trying to address the potential implications of each proposal, especially in the short time provided by the Commission. Other rulemaking proposals that call for contracts or written assurances from third parties that are likely to interact with one another in ways that the Commission has not considered include the Cybersecurity Proposal, Regulation S-P Proposal, Safeguarding Proposal, and Private Fund Proposal. See Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews, 87 Fed. Reg. 16886 (Mar. 24, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-03-24/pdf/2022-03212.pdf.
 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period, 88 Fed. Reg. 16921 (Mar. 21, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-21/pdf/2023-05766.pdf.