IAA Comment Letter to SEC Regarding Adviser Proposals
June 17, 2023
Ms. Vanessa A. Countryman
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
Re: SEC Rel. Nos. 33-11167, IA-6263, IC-34855, 33-11028, IA-5956, IC-34497 (File No. S7-04-22); SEC Rel. No. IA-6176 (File No. S7-25-22); SEC Rel. No. IA-6240 (File No. S7-04-23); SEC Rel. Nos. 34-97141, IA-6262, IC-34854 (File No. S7-05-23)
Dear Ms. Countryman:
The Investment Adviser Association (IAA) commends the Commission for recognizing the need to consider and address the impact that certain recently proposed investment adviser regulations involving cybersecurity and data breaches may have on each other. We strongly support enhancing the preparedness and resiliency of advisers against cybersecurity threats and protecting the data privacy of investors, and, in our comment letter on the Cybersecurity and Regulation S-P Proposals, we expressed our general support for Commission efforts to do so, subject to certain modifications. While we appreciate that the Commission reopened the comment period on the Cybersecurity Proposal for this purpose, we feel compelled to note again that the Regulation S-P and Cybersecurity Proposals are just two among a series of more than a dozen consequential new rules and proposals – some that are highly interrelated – impacting advisers that the Commission has issued during the past two years that are unprecedented in their scope and speed (collectively, Adviser Proposals).
When taken together, the Adviser Proposals, if adopted, will significantly overhaul the current regulatory regime under the Investment Advisers Act of 1940 (Advisers Act) and rules thereunder, requiring massive implementation efforts from advisers. They will also disrupt existing infrastructures and relationships, with substantial implications – foreseen and unforeseen – for advisers, investors, service providers, and the markets. Even if the Commission were to modify the Adviser Proposals pursuant to the recommendations we made in our comment letters, there will be significant changes to current practices requiring substantial implementation efforts by advisers. The Commission has severely underestimated the costs of the Adviser Proposals – both in isolation and on a cumulative basis – for all advisers, and especially for smaller advisers. At the same time, it has, in our view, overestimated the potential benefits, and we are concerned that the Adviser Proposals collectively will harm rather than further the Commission’s stated goals.
We urge the Commission to consider the Adviser Proposals – including their costs and benefits – together and holistically, prior to adopting any more final rules relating to these proposals. In particular, we believe it is important for the Commission to consider the Regulation S-P, Cybersecurity, Outsourcing, and Safeguarding Proposals (collectively, the Four Proposals) together. These proposals are especially interconnected, include duplicative and potentially inconsistent requirements, and address overlapping concerns. We discuss this overlap below.
We also make recommendations relating to implementation of the Adviser Proposals by advisers. Establishing a more reasonable implementation timeline will lessen some of the implementation burdens, which will be staggering regardless of whether the Commission addresses our substantive concerns with these proposals. For example, tiering and staggering compliance requirements would better enable advisers to implement and operationalize the many new requirements under the Adviser Proposals that we anticipate will be adopted within a short time of one another. A reasonable timeline would also demonstrate that the Commission appreciates that advisers will need to implement these new rules while at the same time maintaining and executing their existing compliance programs and, most importantly, continuing to serve their clients.
Specifically, we recommend that the Commission:
- Explicitly address the potential implications of the Four Proposals cohesively prior to adoption.
- Undertake a more expansive, accurate, and quantifiable assessment of the cumulative costs, burdens, and economic effects that all the Adviser Proposals would impose on advisers, their clients, and other market participants.
- Directly and accurately address how the Adviser Proposals would affect smaller advisers and thoroughly consider and explicitly address alternatives.
- Before taking final action on the Adviser Proposals, seek public feedback on a comprehensive implementation timeline for tiered and staggered compliance requirements and dates for all these proposals.
We look forward to continuing our constructive engagement with the Commission on the Adviser Proposals and other important issues affecting investment advisers.
I. Explicitly address the potential implications of the Four Proposals cohesively prior to adoption.
A. We support the Commission’s consideration of the potential implications of the Regulation S-P and Cybersecurity Proposals together.
The IAA appreciates that the Commission has identified and is seeking comments on ways that the Regulation S-P and Cybersecurity Proposals interact. As further discussed in our Regulation S-P Letter, we highlight certain areas below where there is interplay between the Regulation S-P and Cybersecurity Proposals. We also agree with the Commission that these two proposals are based on distinct statutory requirements and serve related but separate objectives and support addressing these issues through separate rulemakings, as proposed. However, we strongly support the Commission’s efforts to assess the potential implications of these proposals cohesively prior to adopting them.
This Commission’s inquiry is necessary to help advisers develop coherent policies and procedures, avoid having to engage in unnecessarily redundant efforts, and lessen the risk that the interplay between these proposals could lead to technical noncompliance with one or both proposed rules. For example, the Regulation S-P and Cybersecurity Proposals both include requirements for advisers to create policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to adviser information systems. Advisers would also be required under both proposals to disclose publicly how they have addressed and remediated breaches. It would be helpful for the Commission to explicitly address how these requirements would interact with one another – e.g., whether they are inconsistent or duplicative – and how they would be implemented, especially on different timelines. We offer specific recommendations to address these and other concerns in our Regulation S-P Letter.
We are especially concerned with the requirements in both proposals for advisers to negotiate new or renegotiate existing contracts, often with the same parties, but with different requirements and different implementation timelines. We address this concern below since it is front and center in each of the Four Proposals.
B. We urge the Commission to evaluate the Four Proposals holistically before considering final action on any of them.
The IAA strongly encourages the Commission to expand its inquiry to also include the Outsourcing and Safeguarding Proposals prior to taking final action on any of the Four Proposals. Specifically, we believe that the Four Proposals should be evaluated cohesively by the Commission to assess how they interact with one another and their overall likely impacts. This evaluation should also consider commenters’ collective feedback on each of the Four Proposals and how that feedback informs the Commission’s holistic review. Following that evaluation, the Commission could (i) adopt rules or, as an alternative, guidance, that reflect this holistic assessment, (ii) share its thinking and preliminary conclusions and reopen the comment periods to allow for public feedback on its evaluation, and/or (iii) withdraw and repropose the Four Proposals with significant modifications.
While the Commission has recognized the potential interaction between the Regulation S-P and Cybersecurity Proposals, it has not explicitly addressed the implications of that interaction and how concerns may be mitigated. Nor has it addressed how these proposals may overlap or interact with the Outsourcing and Safeguarding Proposals, which are also closely related. We believe that only by considering the Four Proposals together will the Commission be able to identify and address, and, if warranted, provide guidance on, aspects of these proposals that, among other things: overlap or are duplicative; conflict or could lead to inconsistent results; may result in the inefficient or unnecessary deployment of valuable resources by advisers; or could lead to unintended consequences to the detriment of advisers, investors, and the markets.
A more holistic consideration of the Four Proposals would also enable the Commission to evaluate whether the proposals could be modified to achieve the Commission’s goals through a more targeted and less onerous approach than what has been proposed, and/or where guidance would be helpful. Unless these concerns are addressed up front, advisers will incur unnecessary and significant legal and compliance fees as they attempt to navigate how to comply with any final requirements. Moreover, the Commission will have to devote substantial time and effort to issuing clarifying guidance or relief after the rules are adopted.
We offer the following examples relating to the proposed requirements for contractual terms and the treatment of custodians to demonstrate some of the complexity of the interrelationships among the Four Proposals and highlight just a few of the many challenges advisers are likely to face as they try to implement each proposal, if adopted substantially as proposed.
- Implications of contracts and reasonable assurances requirements. As with the Regulation S-P and Cybersecurity Proposals, the Outsourcing and Safeguarding Proposals would each also require advisers to negotiate contractual terms with or obtain reasonable assurances from various service providers. Indeed, advisers would need to negotiate or renegotiate required terms four different times, often with the same parties but with different deadlines within a fairly short period. As discussed in our comment letters on each of these proposals, these terms may be inconsistent with the business imperatives of service providers, and even where they are not, service providers have little incentive – whether regulatory or economic – to negotiate specific terms with advisers. Moreover, most advisers have little to no leverage to compel them to do so, thus calling into question the effectiveness of these proposed requirements. Given these real-world practical constraints, the Commission is essentially asking advisers to devote substantial resources repeatedly to efforts that may not generate the required results, could divert advisers from focusing on risks or concerns more specific to their businesses, and could lead to multiple instances of technical noncompliance.
The specific terms that would need to be negotiated in three of the Four Proposals are also overlapping and thus confusing. For example, the Outsourcing Proposal would require that advisers obtain reasonable assurances from service providers with respect to their ability to meet the proposed due diligence and recordkeeping standards. By contrast, the Regulation S-P Proposal would require policies and procedures that require covered institutions to enter into a written contract with each service provider requiring that it take appropriate measures designed to protect against unauthorized access to or use of customer information. And the Cybersecurity Proposal would require a written contract relating to the cybersecurity controls of third-party service providers. It is not at all clear how advisers are expected to interpret and apply these different but related requirements in different negotiations with the same or related service providers.
- Interplay and lack of clarity with respect to custodians. The interplay between the Outsourcing and Safeguarding Proposals raises additional issues with respect to the treatment of custodians. In our recently submitted Supplemental Outsourcing Letter, we asked the Commission to make clear, if it adopts a final outsourcing rule – which we recommend against – that custodians are outside the scope of that rule. As discussed in that letter and in our Safeguarding Letter, a custodian contracts directly with its customer to provide it with custody services and the adviser has no privity of contract with the custodian with respect to that relationship or those services. The Outsourcing Proposal suggests that these custodians would not be covered by that proposed rule. However, because the Safeguarding Proposal proposes to capture all discretionary trading under the definition of custody, it would require at least one contract between every adviser that exercises discretionary authority (over 90% of advisers) and every custodian with which the adviser’s clients have a relationship. This sudden and unexpected privity of contract could make all custodians “Service Providers” under the Outsourcing Proposal, subjecting advisers to all the requirements under the Outsourcing Proposal, including another round of negotiation of specific terms. We do not believe that this is or should be the Commission’s intention.
In addition to the myriad other concerns we have expressed regarding the proposed contractual/reasonable assurances requirements – including relating to applying the anti-fraud provisions of the Advisers Act to technical foot-faults, we are concerned about the implications for the adviser’s clients. If the adviser were unable to get a custodian to agree to any of the specific required terms under either of these proposals, the adviser would not be able to use that custodian, but nor would its clients. The adviser’s clients would need to switch custodians if they wanted to stay with the adviser, or switch advisers if they wanted to stay with the custodian. We do not believe that the Commission intends to limit clients’ choice this way or for these rules to be so disruptive to clients.
- Increased cybersecurity risks. We are concerned about situations where the Four Proposals could result in additional significant unintended consequences, some that may lead to increased risk and substantial investor harm. For example, the specificity of the proposed disclosure requirements – directly to clients or in Form ADV filings – in the Regulation S-P, Cybersecurity, and Outsourcing Proposals could lead to further cybersecurity attacks against advisers and their clients. Each of these proposed requirements raises the concern that cybersecurity threat actors will be provided with a roadmap for further attacks through public disclosures – for example, through a description of a firm’s cybersecurity remediation efforts. Public disclosures that indicate which service providers serve which advisers – as would be required, for example, by the Outsourcing Proposal – would also be a temptation for threat actors. These concerns are greatly exacerbated each time the Commission calls for additional public disclosure of sensitive information that is not decision useful for clients. Our concerns about data security extend to non-public disclosure as well.
Given that no one is fully immune to attacks, the Commission should consider the risk that a cybersecurity breach of the Commission’s systems storing the various regulatory reports, especially along with other non-public sensitive information, could provide cybersecurity hackers a treasure trove of information relating to an adviser’s system weakness or vulnerabilities or a service provider’s sensitive proprietary information. While we have recommended confidential (rather than public) treatment of certain information that the Commission proposes to require, we again urge the Commission to proceed cautiously before requiring advisers to report an ever-greater amount of information that could be harmful to them and their clients if inadvertently or maliciously disclosed or abused.
As explained in our various comment letters on the Four Proposals, there are likely to be other harmful downstream effects on investors, which are likely to bear many other costs of these proposals, whether directly or indirectly. For example, advisers may have to use service providers that are not their top choice, or bring more outsourced functions in house where it might be better for the adviser and its clients for the function to remain outsourced.
For these reasons it is incumbent on the Commission to conduct a more thorough and comprehensive evaluation of how the Four Proposals align or conflict with one another so that it can identify and address these and other areas of concern prior to any final action on a rule. Otherwise, advisers will face significant challenges in understanding and implementing the resulting regulatory obligations, which could lead to confusion, inefficiency, and unintentional compliance failures, all of which would directly undermine the goals of the rulemakings.
II. The Commission should undertake a more expansive, accurate, and quantifiable assessment of the cumulative costs, burdens, and economic effects of the Adviser Proposals and consider alternatives.
The IAA and other commenters have repeatedly urged the Commission to consider proposed regulations holistically and to assess the cumulative impact of regulations, both existing and proposed. We believe it is imperative for the Commission to carefully conduct robust cost-benefit analyses, not only of each regulatory proposal in isolation, but of their cumulative effects on advisers, their clients, and the financial services landscape more broadly. For example, there can be no doubt that the costs of compliance – direct and indirect – rise with each regulation and directly impact the ability of advisers to invest in other aspects of their businesses, including the resources available for client-facing efforts.
These considerations need to be part of the Commission’s broader assessment of the Adviser Proposals and we are troubled that they are not being directly addressed. We are also troubled that the Commission moves ahead with such consequential proposals when its assessment of potential costs and benefits is acknowledged to be highly theoretical and not based on or supported by factual data. Thus, we again call upon the Commission to undertake a more expansive, accurate, and quantifiable assessment of the specific costs, burdens, and economic effects that would be placed on advisers to implement the Adviser Proposals. Specifically, we recommend that the Commission holistically consider the cumulative costs and burdens of existing regulatory obligations along with proposed and adopted regulations. We also urge the Commission to include in this assessment the likely costs and negative impacts of the Adviser Proposals for investors and the financial services landscape more broadly. The Commission should also consider and propose alternative approaches to balance the costs and potential benefits more appropriately.
III. The Commission should directly and more accurately address how its proposed regulations would affect smaller advisers and propose reasonable alternatives.
The IAA has long advocated for the Commission to realistically consider the impacts of its regulations on smaller advisers, which have been disproportionately burdened by one-size-fits-all regulations – both in isolation and cumulatively. New regulations, especially when they are prescriptive, often require substantial fixed investments in infrastructure, personnel, and technology. Depending on the requirements, they may need new or upgraded systems, relating, for example, to documentation and recordkeeping, contract and vendor management, compliance monitoring and testing, operations, custody, business continuity planning, and more. They may also need to expend significant resources on outsourcing, as well as on legal and consulting services. In addition to the considerable burdens borne directly by these smaller advisers, these costs could create meaningful barriers to entry for emerging advisers, and increase pressure on existing advisers for industry consolidation, thereby reducing competition and the investment choices available to investors.
We have frequently called on the Commission to take steps to tailor its rules to minimize these impacts, for example through preserving a flexible, risk- and principles-based approach, excluding or exempting smaller advisers from specific requirements where the burdens on those advisers outweigh the benefits, and tiering and staggering compliance timetables.
Unfortunately, the Commission, as a practical matter, does not accurately analyze the impact of its regulations on small advisers as required under the Reg Flex Act, because virtually no SEC-registered advisers fall under the “asset-based” definition of small adviser adopted by the Commission. Yet, by any rational measure, the vast majority of advisers are small businesses.
Specifically, the Commission adopted Rule 0-7 under the Advisers Act defining “small business” or “small organization” for purposes of treatment as a “small entity” under the Reg Flex Act as including an investment adviser that has less than $25 million in assets under management. However, with few exceptions, advisers are not permitted to register with the Commission unless they have at least $100 million in assets under management, thus making any analysis the Commission does regarding the impact on smaller advisers virtually meaningless.
Accordingly, we plan to formally petition the Commission to publish for notice and comment an updated and amended definition of “small entity” for purposes of the Reg Flex Act that will enable the Commission to more realistically consider the significant and disparate impact of new regulations on smaller advisers and to propose reasonable alternatives. We cannot overstate the impact on our many members that are in fact small businesses of the cumulative costs and burdens of implementing all these new regulations, if adopted.
IV. The Commission should seek public feedback on a comprehensive implementation timeline with tiered and staggered compliance dates for the Adviser Proposals.
We appreciate that the Commission has previously proposed staggered implementation periods, including some that are based on firm size per our suggestion, and we urge it to continue to do so, including for all the Adviser Proposals. The transition periods proposed for each of these proposals are both unreasonable and unrealistic, especially combined, and they demonstrate that the Commission does not fully appreciate the steps that advisers take to implement new regulations, or that new requirements will be layered on top of the extensive existing requirements and advisers’ ongoing implementation of their compliance programs. It is especially important for the Commission to recognize these challenges given the strong likelihood that advisers will need to implement several major new rules concurrently. We urge the Commission to consider the vast scale and complexity of the Adviser Proposals, as well as existing compliance obligations, and adopt a more comprehensive, reasonable, and workable timeline for compliance.
Should the Adviser Proposals be adopted substantially as proposed, it will take significant time and immense effort for advisers to align current compliance and business practices with each of the many prescriptive regulatory requirements under the Adviser Proposals. For example, advisers would need to: establish compliance budgets; develop project timelines; analyze the rules and evaluate how they affect their business; attempt to negotiate or renegotiate written agreements; prepare for new reporting and recordkeeping obligations; draft, update, and implement an internal controls approach; work with internal and external parties (e.g., compliance, legal, and other service providers); and conduct training. All while allowing sufficient lead time prior to the compliance date to receive and integrate deliverables from service providers – which will be strained by the new demands on them and have their own timetables – put systems and controls in place and test them, and train personnel.
Even if the Commission accepts all the IAA’s recommendations on the Adviser Proposals, the sheer scale and speed of these rulemakings will still impose enormous costs on and require enormous efforts from advisers. Advisers will still need to take virtually all the steps described above to develop and/or refine the risk- and principles-based controls necessary to comply with the many new requirements and apply any new Commission guidance. While new requirements will be narrower, principles-based, and more targeted to their business and current internal controls – making their implementation substantially less disruptive – advisers will nonetheless face virtually unprecedented challenges to implement the new rules.
Whether adopted substantially as proposed or with significant modifications, the many challenges associated with these new regulations and proposed compliance dates will without doubt demand advisers to devote significant and increased operational, personnel, and compliance resources during an unreasonably short period of time. Under the compliance periods currently contemplated by the Commission, advisers will be forced to re-allocate the time and resources that are already budgeted to – and for the existing needs of – their compliance programs to implement these new regulations concurrently and in a compressed time frame. It is imperative for the Commission to carefully consider the cumulative effects that all these regulations will have on advisers’ operational limitations and, more importantly, resource constraints, in determining the compliance dates of each of the Adviser Proposals.
The following graph illustrates the daunting task advisers would face in implementing the Adviser Proposals under the timelines being proposed by the Commission.
SEC Proposed Implementation Timeline for Adviser Rulemakings*
*This graph illustrates a timeline for implementing the Adviser Proposals based on the IAA’s reasonable assumptions
regarding the effective dates and the compliance dates being proposed by the Commission for each proposal.
The graph illustrates that advisers would:
- Be required to implement the Adviser Proposals during compressed and overlapping compliance periods while attempting to comply with existing ongoing regulatory obligations designed to ensure a robust compliance culture at the adviser and protect investors. For example, the graph includes required Annual Reviews of compliance programs and Annual Updates to Form ADV. But it is critical to bear in mind that investment advisers are subject to an extensive array of other ongoing regulatory obligations intended to protect investors (g., compliance with the expansive requirements of the new Marketing Rule, recordkeeping, and other reporting and disclosure obligations, to name just a few).
- Be required to comply with 13 new regulations (listed in Exhibit A) requiring massive resources and implementation efforts within 28 months. By contrast, the Commission provided advisers an 18-month transition period to implement the Marketing Rule alone.
- Have approximately 16 overlapping months to implement the substantial requirements of just the Four Proposals (Regulation S-P, Cybersecurity, Outsourcing, and Safeguarding).
Accordingly, the IAA recommends that the Commission seek feedback from all interested commenters (including affected service providers and custodians) for a comprehensive and practicable approach to staggered transition periods that would allow advisers to manage implementation in a workable, organized, and resource-efficient matter. Specifically, the IAA recommends that, whether the Adviser Proposals are finalized substantially as proposed or with modifications – for example, as the IAA has recommended – the Commission publicly put forth a comprehensive timeline for staggered compliance for all the Adviser Proposals (e.g., on the SEC’s website) over at least the next five years (as opposed to under three years as proposed) that: (i) allows advisers to efficiently implement the new rules in a manner that minimizes costs and burdens to the extent feasible and avoids adversely disrupting the effectiveness of existing compliance programs; (ii) permits partial or rolling compliance dates for certain interconnected provisions of the Adviser Proposals (a “tiered” approach); (iii) would be considered when the Commission subsequently proposes new rules within this time frame; and (iv) takes into consideration and provides alternatives based on firm size, given the costs and resource constraints of smaller advisers as discussed above.
Given the importance of this matter to the IAA and our members, we would welcome the opportunity to work with the Commission and its staff in developing a reasonable and workable comprehensive compliance timeline for implementation.
* * *
We appreciate the Commission’s consideration of our comments and recommendations and stand ready to provide any additional information that may be helpful. Please contact the undersigned at (202) 293-4222 if we can be of further assistance.
Gail C. Bernstein
Associate General Counsel
The Honorable Gary Gensler, Chair
The Honorable Hester M. Peirce, Commissioner
The Honorable Caroline A. Crenshaw, Commissioner
The Honorable Mark T. Uyeda, Commissioner
The Honorable Jaime Lizárraga, Commissioner
William A. Birdthistle, Director, Division of Investment Management
 The IAA is the leading organization dedicated to advancing the interests of investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. The IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.
 See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (Mar. 9, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-03-09/pdf/2022-03145.pdf (Cybersecurity Proposal); Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period, 88 Fed. Reg. 16921 (Mar. 21, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-21/pdf/2023-05766.pdf; and Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 88 Fed. Reg. 20616 (Apr. 6, 2023) (Regulation S-P Proposal), available at https://www.govinfo.gov/content/pkg/FR-2023-04-06/pdf/2023-05774.pdf.
 See Letter from the IAA to the Commission re: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (Apr. 11, 2022), available at https://www.investmentadviser.org/wp-content/uploads/2022/04/IAA-Cybersecurity-Comment-Letter-4.11.22-FINAL.pdf and Supplemental Letter on IAA Cybersecurity Survey Results to the Commission (Dec. 19, 2022), available at https://www.investmentadviser.org/resources/iaa-supplemental-letter-to-sec-on-cybersecurity-survey-results/ (Cybersecurity Letters); Letter from the IAA to the Commission re: Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (June 5, 2023), available at https://www.investmentadviser.org/resources/iaa-supports-sec-proposal-on-protection-of-client-information-with-recommended-changes/ (Regulation S-P Letter).
 See Exhibit A. We note that there are additional Commission rule proposals that, if adopted, will also affect investment advisers. See, e.g., Money Market Fund Reforms, 87 Fed. Reg. 7248 (Feb. 8, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-02-08/pdf/2021-27532.pdf; Prohibition Against Conflicts of Interest in Certain Securitizations, 88 Fed. Reg. 9678 (Feb. 14, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-02-14/pdf/2023-02003.pdf. We focus our discussion in this letter on the Adviser Proposals because they are more broadly applicable to, or their effects will be directly applicable on, advisers.
 The IAA’s comment letters to the Adviser Proposals are available at https://www.investmentadviser.org/issues-advocacy/comment-letters/.
 See Outsourcing by Investment Advisers, 87 Fed. Reg. 68816 (Nov. 16, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-11-16/pdf/2022-23694.pdf (Outsourcing Proposal).
 See Safeguarding Advisory Client Assets, 88 Fed. Reg. 14672 (Mar. 9, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-09/pdf/2023-03681.pdf (Safeguarding Proposal).
 In our Regulation S-P Letter, we suggested that the Commission reopen the comment periods for the Four Proposals to adequately address how these proposals may overlap or interact with one another or with other rules and rule proposals. We recognize that, rather than formally reopening the comment periods for these proposals, the Commission could instead determine to holistically address these important issues prior to adopting the Four Proposals.
 For purposes of this letter, we assume that the Commission intends to shortly consider adoption of the Four Proposals in light of the agency’s recently released Spring 2023 regulatory agenda (available at https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST¤tPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=314901AF49C09F2935F99382D62409CF25D4C9EC8B75794F5CC22C5AF6D61DBDCB09FD1EDA6125E4633CC6EDFB7D4BE13FA2).
 We reiterate our recommendation that the Commission entirely withdraw the Outsourcing Proposal for the reasons discussed in our comment letter to the proposal.
 We are not alone in our concern. The Antitrust Division of the U.S. Department of Justice submitted a comment letter to the Commission on April 11, 2023, in response to proposed rules relating to market structure changes, calling on the Commission to “carefully consider potential interactions among the Proposed Rules when preparing their final versions, planning for the rules’ implementation timelines, and evaluating the actual effects of the rules once they go into effect.” Comment of the Antitrust Division of the United States Department of Justice on File Nos. S7-29-22; S7-30-22; S7-31-22; and S7-32-22 (Apr. 11, 2023), available at https://www.sec.gov/comments/s7-29-22/s72922-20164065-334011.pdf.
 We use the term “service provider” broadly in this letter to capture the range of entities with which advisers would be required to negotiate specific terms, including, for example, custodians, even though they are not the adviser’s service provider with respect to the custodians’ contracts with their customers.
 While we have not included it in the Four Proposals, we note that the Private Fund Advisers Proposal would also attempt to impose similar third-party contractual requirements, adding to the complexity of implementation.
 While we focus primarily on the Four Proposals in this letter, we believe the Commission should generally pause and take the opportunity to reflect on all the adviser rulemakings, including those that have been adopted, holistically and consider potential problematic areas. For example, we note a discrepancy in the Form PF amendments between the reporting requirements under these amendments and under the Cybersecurity Proposal. Specifically, the Cybersecurity Proposal would require advisers to file a report with the SEC within 48 hours after having a reasonable basis to conclude that a “significant adviser cybersecurity incident” has occurred or is occurring. The Form PF rule for large hedge fund advisers requires the filing of a report within 72 hours of an “operations event.” As a result, advisers would not only need to monitor for, respond to, and file a regulatory report on a “significant cybersecurity event,” as that term would be defined, but also monitor for, respond to, and file a separate regulatory report on an “operations event” under amended Form PF, which could encompass the same cybersecurity incident. The Commission is essentially contemplating duplicative and potentially confusing regulatory reporting by advisers – under oath – for potentially the same event. Both reporting regimes may result in overreporting, unduly impede real-time response efforts, and add unnecessary operational and compliance burdens. While the Form PF amendments have been finalized and are not included in our request that the Adviser Proposals be reopened, we nevertheless offer this as another example of the complexity of the recent rulemakings and their interplay.
 See Letter from the IAA to the Commission re: Outsourcing by Investment Advisers (Apr. 20, 2023), available at https://www.investmentadviser.org/resources/iaa-submits-supplemental-letter-on-outsourcing-proposal/ (Supplemental Outsourcing Letter).
 See Letter from the IAA to the Commission re: Safeguarding Advisory Client Assets (May 8, 2023), available at https://www.investmentadviser.org/resources/iaa-letter-to-sec-on-safeguarding-advisory-client-assets-proposal/ (Safeguarding Letter).
 As noted in the Commission’s Safeguarding Proposal, 92.0 percent of advisers (13,944 out of 15,160 SEC-registered advisers) currently report having discretionary authority and would be subject to that proposal.
 See, e.g., Supplemental Outsourcing Letter.
 The proposed change to the service provider written agreement obligation in the Regulation S-P Proposal is a good illustration. The Commission believes that “even in cases where service providers are willing to adapt processes and contractual terms to meet covered institutions requirements, the task of renegotiating service agreements could – in itself – impose substantial contracting costs on the parties. Contracting costs are likely to be most acute for larger covered institutions, which may have hundreds of contracts that would require renegotiation. These additional costs would likely be passed on to customers in the form of higher fees.” Regulation S-P Proposal, 88 Fed. Reg. at 20667. However, the Commission fails to address these costs, stating that due to data limitations, it is unable to quantify or characterize in much detail the structure of these various service provider markets and that the Commission is unaware of any data sources that provide detail on the reliance of covered institutions on third-party service providers. See id. at 20663 and n. 409.
We have attempted to assist the Commission in making this assessment—in our supplemental letter on the Cybersecurity Proposal, we provided the Commission with results from a survey of our members requesting input on several issues, including members’ current cybersecurity program costs and cost estimates for implementing the various proposed requirements.
 The Regulatory Flexibility Act of 1980 (Reg Flex Act) requires federal agencies to examine the impact of their proposed and final rules on small businesses. Pursuant to the Reg Flex Act, 5 U.S.C. § 601(3), the Commission has adopted a definition of “small business” for SEC-registered advisers.
 Of the approximately 15,000 SEC-registered investment advisers at the end of 2022, 91.7% had 100 or fewer employees with the median adviser having fewer than 10. Two-thirds of advisers employed 50 or fewer people and managed less than $1 billion in assets. Our analysis of these and other data points from the 2022 Form ADV data will soon be published in the IAA’s 2023 Investment Adviser Industry Snapshot. For last year’s Snapshot, see IAA-NRS Investment Adviser Industry Snapshot 2022 (June 2022), available at https://www.investmentadviser.org/wp-content/uploads/2022/06/Snapshot2022.pdf.
 We believe that the Commission should use a more meaningful metric beyond just assets under management. For example, the number of employees would be a useful measure given that implementation of regulation requires personnel, and that the data is readily available in Form ADV and often used in other contexts to define the relative size of companies.
 The IAA strongly supports the enactment of H.R. 2792, the “Small Entity Update Act,” passed by the House of Representatives on May 30, 2023, which would require the Commission to publish for notice and comment an amended definition of small adviser that would enable it to accurately analyze the impact of regulations and consider alternative approaches that minimize the burden on small businesses in accordance with the Reg Flex Act.
 For example, in the Safeguarding Proposal, the Commission proposes compliance dates of one year following the rule’s effective date for advisers with more than $1 billion in regulatory assets under management (RAUM) and 18 months for advisers with up to $1 billion in RAUM. While, as discussed above, we do not believe that an asset-based threshold best addresses the needs of smaller advisers or that the proposed time frame is sufficient for any advisers under that proposal, we very much appreciate the Commission’s recognition and consideration of the disproportionate burdens on smaller advisers and urge the Commission to continue to do so in all its rule proposals.
 The IAA made recommendations as to more reasonable compliance periods than proposed in our comment letters on the Adviser Proposals. Given the number of these proposals that the Commission intends to adopt, however, we are modifying our earlier recommendations to reflect a more cohesive and realistic assessment of what it will take for advisers to implement the myriad new requirements.
 The Compliance Rule (Rule 206(4)-7 under the Advisers Act) requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules thereunder. This includes policies and procedures relating to an adviser’s fiduciary obligations, which in turn requires, for example, due diligence of service providers, and myriad other obligations. The Compliance Rule also requires advisers to review at least annually: (i) the adequacy of the firm’s compliance policies and procedures established under the rule; and (ii) the effectiveness of their implementation (Annual Review). Moreover, advisers are required to make and keep any records documenting an adviser’s annual review of its compliance policies and procedures. In practice, advisers typically conduct their compliance program reviews on an ongoing basis and either maintain related records or write a report documenting their findings. The Private Fund Advisers Proposal would require all advisers to document their compliance reviews in writing.
 Advisers are also required to file an annual Form ADV amendment within 90 days of the firm’s fiscal year-end (by the end of March for those with a December 31 fiscal year-end) (Annual Update).
 We note that many of the Adviser Proposals would impose new recordkeeping obligations.
 See, e.g., Investment Adviser Marketing, 86 Fed. Reg. 13024, 13092 (Mar. 5, 2021) (providing an 18-month transition period) (Marketing Rule), available at https://www.govinfo.gov/content/pkg/FR-2021-03-05/pdf/2020-28868.pdf.
SEC Rule Proposals and Adoptions after April 17, 2021 (Adviser Proposals)
Enhanced Reporting of Proxy Votes by Registered Management Investment Companies; Reporting of Executive Compensation Votes by Institutional Investment Managers [87 FR 78770 (Dec. 22, 2022)]
Amendments to Form PF to Require Current Reporting and Amend Reporting Requirements for Large Private Equity Advisers and Large Liquidity Fund Advisers [88 FR 38146 (June 12, 2023)]
|Private Fund Advisers
Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews [87 FR 16886 (Mar. 24, 2022)]
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies [87 FR 13524 (Mar. 9, 2022)]
Shortening the Securities Transaction Settlement Cycle [88 FR 13872 (Mar. 6, 2023)]
Modernization of Beneficial Ownership Reporting [87 FR 13625 (Mar. 10, 2022)]
Investment Company Names [87 FR 36594 (June 17, 2022)]
|Adviser and Fund ESG
Environmental, Social, and Governance Disclosures for Investment Advisers and Investment Companies [87 FR 36654 (June 17, 2022)]
|Form PF Reporting
Amendments to Form PF to Amend Reporting Requirements for All Filers and Large Hedge Fund Advisers [87 FR 9106 (Feb. 17, 2022)]
Outsourcing by Investment Advisers (87 FR 68816 [Nov. 16, 2022])
Open-End Fund Liquidity Risk Management Programs and Swing Pricing; Form N-PORT Reporting [87 FR 77172 (Dec. 16, 2022)]
Safeguarding Advisory Client Assets [88 FR 14672 (Mar. 9, 2023)]
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information [88 FR 20616 (Apr. 6, 2023)]