How will the Securities and Exchange Commission’s (SEC) Proposed Rule 206(4)-11 impact your registered investment adviser (RIA) firm in 2023?
Proposed SEC Rule 206(4)-11, also known as the outsourcing rule, aims to further protect investors and clients by requiring RIAs to satisfy specific due diligence elements before retaining a service provider to perform certain advisory services or functions.
The proposed rule would prohibit RIAs from outsourcing covered functions without conducting the appropriate initial vendor due diligence, continued and consistent monitoring of service providers and requisite oversight of outsourced services.
Although the proposed rule has faced opposition, its purpose is to prevent potential investor harm when RIAs fail to properly vet and monitor their service providers. If the rule is adopted, it will likely add to the investment advisers’ due diligence responsibilities, heightening the need for and importance of vetting vendors in order to properly protect investors and clients.
While this new proposed rule may add additional requirements, the need for proper vendor due diligence is not a new concept for RIAs. In fact, it has been an ongoing focal point for many firms as they aim to protect their firm and its clients. To that end, we’ve developed a vendor due diligence checklist which your investment firm can follow to proactively mitigate risks when selecting vendors.
Vendor due diligence checklist for investment advisers
To meet the demands of due diligence responsibilities, your investment firm can take proactive measures to mitigate risks when selecting vendors. Here are some ways to help ensure due diligence:
- Thoroughly research the vendor. This can reveal potential issues, customer complaints, strengths and weaknesses of the product or service.
- Review and understand the vendor’s information security policy.
- Review the vendor’s business continuity plan to ensure the proper redundancies are in place. Not having these in place can cause a business disruption for your investment firm, too.
- Ask the vendor if they have experienced any security breaches and for relevant details regarding any such incident.
- Understand how the vendor manages risk internally and what kind of testing systems they have in place to ensure their risk management systems are working.
- Know what types of third-party vendors the vendor is using, how they manage them and how they mitigate potential risks.
- Sign non-disclosure and confidentiality agreements with the third-party vendor.
- Ensure sensitive information is only being shared with the necessary employees and the vendor only has access to the specific information needed to provide the service they are supposed to provide.
- Perform initial due diligence and regular ongoing due diligence for each of your vendors.
In addition to these tips, investment firms may find it beneficial to implement a regulatory compliance solution. A vendor due diligence solution can simplify the vendor risk management process by automating the most resource-intensive aspects of vetting third-party service providers.
RIA in a Box offers a vendor due diligence solution which helps RIAs meet the challenges associated with vendor due diligence. The platform streamlines the firm’s initial and ongoing third-party due diligence on a single platform and actively mitigates the risk of third-party information security breaches. Users also benefit from calendar reminders to regularly complete vendor due diligence activities.
At RIA in a Box, we recognize the critical role third-party vendor due diligence plays in cybersecurity, data security and the overall success of your investment firm and we offer a vendor due diligence solution to help RIAs meet the challenges associated with vendor due diligence.
Think we might be the perfect partner for you? Schedule a demo today.