IAA: SEC’s Pending Adviser Proposals Are Redundant, Inconsistent

The Investment Adviser Association is arguing that the Securities and Exchange Commission’s four pending adviser proposals are “duplicative,” “inconsistent” and “address overlapping concerns.”

The IAA’s letter addresses four pending adviser-related proposals introduced by the SEC, including Reg S-P, which seeks to protect customer information and data; a rule addressing cybersecurity safety; a proposal for registered advisers to monitor and be responsible for the work of outsourced vendor services; and an asset safeguarding rule that seeks to increase scrutiny of how asset managers handle and maintain client assets.

The IAA took aim at redundancy in some of the proposals in a comment letter sent to the regulator on Saturday with a call for consolidation and clarity before enforcement begins.

The DC-based advocacy group noted that both Reg S-P and the cybersecurity proposal require advisers to maintain policies to detect and respond to digital breaches and attacks, with Reg S-P requiring an adviser to inform affected customers within 30 days of a breach and the cybersecurity proposal requiring advisers to inform the SEC within 48 hours of a significant cyber event.

The IAA also pushed back on requirements in the safeguarding and outsourcing proposals that advisers obtain reasonable assurances in contracts with various service providers.

Gail Bernstein, the general counsel at IAA, argues that the contractual obligations in these proposals will require advisers to go to different partners and third parties and obtain assurances from each. Bernstein says that “when you have to go back to the same people for different requirements, it’s problematic.”

The IAA also asks that the SEC clarify that the outsourcing rule does not apply to asset custodians, who would already be covered under the safeguarding rule.

For example, the outsourcing rule would require advisers to negotiate contracts in which they are assured by custodians that they will coordinate on compliance issues. Meanwhile, the safeguarding rule would require advisers to secure contractual assurances that their clients’ assets will be segregated from the assets of the custodian.

Bernstein says “this bucket of rulemaking is going to be extremely disruptive.”

Both Bernstein and the IAA’s letter emphasize the importance of reducing the regulatory burden on small advisers. The general counsel argues that small advisers should be excluded from the 48-hour reporting requirement in the cybersecurity proposal because the purpose of the disclosure is to make the SEC aware of a market-wide issue, but a compromised small adviser is unlikely to be involved in a widespread problem. In a case where many small advisers are compromised all at once, the SEC will hear about it from their system service providers and larger advisers who were also affected.

Lastly, Bernstein says the SEC should “come up with a more balanced approach” to accommodate smaller advisers. Specifically, it should have a tiered approach that extends compliance dates and reduces requirements for smaller firms.