In late October of 2022, the Securities and Exchange Commission (SEC) shared its vendor due diligence proposed rule, also referred to as the “outsourcing proposal” and the “independent contractor proposal.” The proposed rule would require registered investment advisers (RIA) to satisfy specific due diligence elements before retaining a service provider to perform certain advisory services or functions. The rule would require advisers to conduct due diligence and periodic monitoring for all third-party service providers and obtain reasonable assurances the service provider can and will meet certain standards. Finally, the proposal would require advisers to maintain books and records related to the new rule’s oversight obligations and to report census-type information about the service providers covered under the rule.
While the proposal has been met with opposition, it was intended to protect against potential investor harm in circumstances where investment advisers don’t properly vet and monitor their service providers. If the rule is adopted, it will likely add to the investment advisers’ due diligence responsibilities, heightening the need and importance of vetting vendors and protecting investors and clients.
Why is vendor due diligence important for investment advisers?
The SEC requires RIAs to vet service providers in order to protect themselves from potential regulatory fines and protect their clients from risk. Vendor due diligence has several benefits, including:
• Ensures investment advisers can identify and mitigate the risk associated with a vendor, enabling them to take corrective action prior to executing a contract.
• Uncovers useful information to help the RIA in deciding whether or not the vendor is a suitable third-party partner.
• Identifies unforeseen possibilities and if all of the other steps of vendor due diligence are consistently carried out, investment advisers will be able to proactively address and remediate the issues to mitigate or eliminate the risk.
• Protects the RIA and its clients from potential exposure to risk via the third-party vendor.
Why is vendor due diligence important for investment advisers?
So, what does this mean for investment advisers? Working with vendors is a critical part of doing business, but they must be trusted to access, handle and transmit highly sensitive information.
As the vendor ecosystem expands and security threats evolve, firms should be proactive in their due diligence process. Here are a number of ways investment advisers can mitigate risk and meet the demands due diligence regulations:
• Thoroughly research the vendor. This can reveal potential issues, customer complaints and strengths and weaknesses of the product or service.
• Sign non-disclosure and confidentiality agreements with the third-party vendor.
• Review and understand the vendor’s information security policy.
• Review the vendor’s business continuity plan. If the vendor experiences a business disruption and doesn’t have the proper redundancies in place, it can cause a business disruption for your investment firm, too.
• Ask the vendor if they have experienced any security breaches. If so, ask if they can provide your firm with any relevant details regarding any such incident.
• Ask the vendor how they manage risk internally and what kind of testing systems they have in place to make sure their risk management systems are working.
• Understand what types of third-party vendors the vendor is using themselves, how they manage them and how they mitigate potential risks.
• Know which employees from the vendor will have access to non-public information, and make sure sensitive information is only being shared with the necessary employees.
• Make sure the vendor only has access to the specific information needed to provide the service they are supposed to provide.
• Perform initial due diligence and be sure to perform regular ongoing due-diligence on each of your vendors.
In addition to these tips, firms might find it beneficial to implement a vendor due diligence solution. Performing annual reassessments, armed with a modern vendor due diligence solution will help RIAs stay secure and compliant. Vendor due diligence solutions simplify the vendor risk management process by automating the most resource-intensive aspects of vetting third-party service providers.
At RIA in a Box, we recognize third-party vendor due diligence is one of the most critical cybersecurity and data security challenges which investment firms face today. RIA in a Box offers a vendor due diligence platform which helps RIA firms meet the challenges associated with vendor due diligence.
The free version of our vendor due diligence platform allows investment firms to connect with up to
5 vendors to automate your firm’s third party technology vendor due diligence review and documentation. Our vendor due diligence platform handles that task for you, so your firm can dedicate its time to other tasks that add value to your firm.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.