13 rules in less than 3 years is too much, advisor group tells SEC

June 22, 2023 4:14 PM

An advisor industry group is saying firms need at least five years to come into compliance with a bevy of new regulations whose requirements the SEC maintains can be met in less than three.

The Investment Adviser Association, which represents more than 600 advisory firms, sent the Securities and Exchange Commission a letter last week warning that the financial planning industry will struggle to keep its footing if the Wall Street regulator goes forward with its plans to adopt the slew of regulations it has proposed in recent years. According to the association's reckoning, firms could find themselves having to comply with at least parts of 13 new regulations over the course of a little more than two years.

That's not enough time, the association argues, for firms to make the many internal changes that will be needed to meet the new rules' myriad requirements. As an example, the IAA noted that several of the SEC's proposals would call on firms to renegotiate their contracts with outside service providers.

One regulation up for consideration — a so-called outsourcing rule first proposed in October — would have advisors draw up new written agreements with third-party providers for everything from cybersecurity and investment guidance to regulatory compliance and securities valuation. The contracts would have to give firms the right to inspect third parties' books and procedures periodically to make sure they are complying with securities laws.

Meanwhile, a separate SEC proposal would call on firms to enter into contracts with the third-party custodians — often banks or brokerages — that they turn to for safeguarding client assets. Among other things, the written deals would pledge the custodian to provide records on request showing which investor assets were being held and would spell out how much authority advisors have over those assets.

The upshot, according to the IAA's letter, is that firms could find themselves having to "negotiate or renegotiate required terms four different times, often with the same parties but with different deadlines within a fairly short period."

"You would have advisors having to reopen negotiations four different times with similar parties, but each time with slightly different requirements, which are very prescriptive," said Gail Bernstein, the general counsel for the IAA.

Bernstein said she doubts small firms in particular are in a good position to dictate contract terms to large service providers who might find it easier simply to do business with someone else.

The IAA's letter calls on the SEC to consider how much time firms would need not to comply with each proposed rule on its own but rather with all of them at once. At a minimum, the association wrote, the industry should have five years.

The IAA acknowledges that some of the proposals cited in its letter are likely to affect most advisors only in a tangential way. But four of them — dealing with cybersecurity, data privacy, third-party service providers and safeguarding investor assets — will fall on almost every firm. And for those far-reaching proposals, the SEC's current timelines would give the industry only about 16 months for compliance.

Bernstein said she has seen scant evidence suggesting SEC regulators have taken into consideration how these rules would interact with each other if adopted over a short period. She said she and her colleagues have pointed out numerous redundancies and inconsistencies in the proposals and tried to bring those findings to the SEC's attention.

"Even assuming that each one of these proposals would be reasonable in a vacuum," Bernstein said, "when you have proposals to adopt two or three or four or five of these at the same time, it's not unreasonable to say the industry is going to need a lot of time to respond."

An SEC spokesperson said, "The SEC benefits from robust engagement from the public and will review all comments submitted during the open comment period. Generally, we respond to comments received as part of the final rulemaking and not beforehand."

Amy Lynch, the founder and president of consultant FrontLine Compliance, said she gives SEC Chairman Gary Gensler some credit for being upfront about his ambitious regulatory plans and then following through. But she said she shares many advisors' concerns that the result of attempting to do so much at once will do more harm than good.

"I talk to my clients and try to calm their fears and some see the saving grace to this is the timing of the staggered rollout," Lynch said. "However, there are still about four or five final rules that could come out at the same time. Right now, they are talking about around October."

Michael Canning, principal at the public policy consultant LXR Group and a former director of policy at the North American Securities Administrators Association, said the prospect of so many movign regulatory pieces dooms almost any attempt at predicting the likely results to futility.

"If you compare the current reality, i.e., the baseline, against what your projection is if the rule as proposed were adopted, but you have three or four or five major rule proposals going on at the same time, it renders the baseline almost meaningless," Canning said.

Aside from its concerns that the SEC is trying to do too much too fast, the IAA wants the SEC to do more research on the likely cost of the proposals and look further into how they would affect small firms in particular. It also has proposed numerous modifications to each of the SEC's individual proposals.

Bernstein said that although cybersecurity remains a priority in the industry, there are concerns the SEC's latest proposal to prevent hacks and data breaches could be counterproductive. One provision, for instance, would require broker-dealers to submit reports on their annual cybersecurity reviews and any vulnerabilities that they've unearthed. Some of the resulting information would end up in public SEC databases and records.

The IAA's letter warns that these disclosures could provide hackers with a "roadmap for further attacks."

At the same time, the only of the SEC's proposals the IAA views as completely unnecessary is the outsourcing rule. Advisory firms, according to the association, are already obliged by their fiduciary responsibilities to make sure any third-party service providers they enlist are putting their clients' interests first.

Bernstein said that although the SEC's other proposals might eventually be acceptable in modified form, there's nothing about them that makes adoption urgent. Cybersecurity and the custody of client assets, for instance, will remain priorities in the industry whether or not they are the subjects of new regulations.

"Effective regulation is critical, that's a given," Bernstein said. "But if there is going to be massive disruption in the industry, that disruption has to be warranted. In these circumstances, there really is no urgency."

Here are some specifics on the four proposed rules the IAA is most concerned about:

Cybersecurity

The SEC has two separate rules on cybersecurity up for consideration.

One would apply specifically to broker-dealers and similar firms, requiring them to adopt written policies designed to prevent hacks and to review those policies once every year. They would also have to report data breaches to federal regulators immediately and give them no more than 48 hours to follow up with detailed reports.

The second proposal would apply to investment advisors, allotting the same 48 hours to provide confidential reports of breaches.

Together the rules take up more than 700 pages and have by themselves prompted complaints that the SEC is trying to do too much, too quickly. Industry groups have called on the regulator to consolidate the rules into one proposal and provide uniform standards for all financial planners.

The cybersecurity proposals have also given rise to concerns about contract renegotiations. Since most firms turn to third parties for help with cybersecurity, they would be required under the rules to draw up new agreements to ensure outside companies comply with the proposals' reporting requirements and other provisions.

The SEC has shown some willingness to budge on its timelines. With the proposal specific to investment advisors, for instance, comments were initially due on it in April 2022. Comments on the were eventually due on May 23.

Data privacy

In a related proposal, the SEC put forward a rule in March that would give firms 30 days to notify clients of breaches exposing their personal data. It would mark the first overhaul of rules designed to protect customer information — known as Regulation S-P — which have not undergone a large revision since their adoption in 2000.

The proposal does include an exemption for notifying customers of breaches. Firms that conduct investigations and find that any information pilfered isn't likely to be "used in a manner that would result in substantial harm or inconvenience" don't have to bother with the disclosure requirement.

Finally, the IAA and other groups have complained that the yearlong period the SEC would allot for compliance is far too short.

Custody rule

Advisors and broker-dealers have also come out with strong criticisms of the SEC's proposed custody rule.

The SEC's current custody rule generally requires that advisors hold client assets at third-party banks, broker-dealers or trust companies for safekeeping. The main purpose of the rule is to extend custody requirements beyond assets like stocks and mutual funds to investment vehicles like cryptocurrencies, real estate and derivatives.

But it's another provision that's causing the most consternation among advisors. The federal regulator's proposed rule would give firms custodial responsibilities any time they had been granted authority to engage in discretionary trading, or trade on clients' behalf without having to get approval for each individual transaction.

Before an advisory firm could work with an independent custodian to conduct discretionary trading, it would first have to have that third party enter into an elaborate written agreement. Among other things, the pacts would pledge the custodian to provide records on investor assets on request. And as a protection against bankruptcy, custodians would have to have investor assets set aside in funds that would be shielded from creditors.

The problem, according to critics, is that the custodians used to hold client assets for discretionary trading are seldom chosen by advisors. Rather, custodians are often banks picked directly by clients.

That lack of a relationship with advisors has given rise to concerns that firms will have a hard time insisting custodians agree to certain contract provisions. Once again, according to groups like the IAA, it's small firms that are likely to have the hardest time pushing for the required terms.

"These terms may be inconsistent with the business imperatives of service providers, and even where they are not, service providers have little incentive — whether regulatory or economic — to negotiate specific terms with advisers," the IAA's letter states. "Moreover, most advisers have little to no leverage to compel them to do so, thus calling into question the effectiveness of these proposed requirements."

Other groups question the SEC's authority to regulate custodians. A June 20 blog post by Alison Touhey, senior vice president at the American Bankers Association, contends the SEC is moving in territory where it has no business being.

"The SEC lacks any statutory authority to regulate custody banks as contemplated by the proposal," Touhey wrote. "Yet the proposal empowers the commission to unduly insert itself into matters at the core of the bank regulatory system, which conflicts with the statutory requirements governing bank safety and soundness.

Outsourcing

The SEC's proposal to extend advisors' fiduciary duties to their third-party service providers has drawn plenty of debate from the industry. The proposal would apply to any outsourced functions that are essential to providing financial advice in compliance with federal security laws and that could materially harm clients if they were performed negligently or not at all.

Most of the advisors and industry groups that submitted comments on the rule said the proposed changes would prove too costly for small firms and unnecessarily duplicate existing regulations. Under the rule, advisors who choose to outsource would have to subject their third-party subcontractors to monitoring at regular intervals and periodically reassess whether that provider is, in fact, the best choice. They would also have to keep detailed records of their monitoring activities and of any covered functions they've farmed out.

The SEC would give firms 10 months to come into compliance with the rule. It estimates that firms would have to spend $132,320 on average to stay on the right side of the rule in its first year and $44,107 every year afterward.