Due diligence is important whether you are considering a third-party money manager, cloud data storage provider or an office cleaning service.
This quick reference guide can guide you through the development of your firm’s due diligence process.
Regulatory Opinion on “Outsourcing”
You cannot outsource your supervisory responsibilities. This means you must make your best efforts to ensure that your vendors are doing what they are supposed to be doing. When you outsource operations and functions, the regulators do not look further than your internal controls—even if the third-party service provider (or vendor) did not perform as promised.
Types of Vendors You Need to Perform Due Diligence
The following is a partial list of the types of vendors you need to perform due diligence:
- Third-party asset managers or sub-advisers (money managers)
- Mutual funds, limited partnerships and other investment vehicles
- Portfolio and back office services
- Compliance consultant
- Technology—computer services
- Proxy voting services
Information Gathering on Vendor
Here is a list of the information you’ll need to gather on your vendors:
- About the company and history
- If vendor is a regulated firm (BD or RIA):
- Obtain Public Disclosure records (from BrokerCheck or IAPD)
- Obtain Form ADV 2 disclosure documents
- If vendor is an investment company, obtain prospectus or offering memorandum
- Financial and managerial strength
- Obtain financial statements
- Obtain biographies of managers
- Evaluate recent changes in management or ownership
- Litigation/arbitration or other legal history or complaints
- Services and/or products offered by company
- What is the workload capacity of vendor to take on a new client of your size?
- Are you too small a client and likely to be treated as a low priority?
- Vendor responsibilities—what are their contractual obligations?
- Responsibilities retained by your firm (or responsibilities assigned to your firm by vendor)
- Review all contract provisions
- Recourse if vendor fails to perform as promised (waivers of liability in contract)
- Conflicts of interest
- Does your relationship with the vendor create a conflict of interest?
- Does the vendor have any conflicts with its existing affiliates or centers of influence?
- Do any conflicts create a disclosure requirement to your clients; or are conflicts too great to overcome and prevent doing business with the vendor?
- Succession plan
- What is reputation? Seek references from satisfied clients and inquire with colleagues
- Schedule on-site visit to vendor to kick bricks and meet management and support staff
- Document all your data gathering and due diligence efforts to your compliance files
Representations of Internal Controls by Specified Vendors
Vendors that are “critical business constituents” (e.g., banks, custodians and third-party asset managers) must provide you with documentation or a representation of their internal controls on their business continuity plan.
Vendors that have access to personal and confidential client information (e.g., custodians, IT consultants and auditors) must provide you with documentation or a representation of their internal controls on the following:
- Privacy controls under Regulation S-P (safeguarding information)
- Identity theft prevention program under Red Flags Rule (Reg S-ID)
- Cybersecurity plan to protect information; detect and respond to security breaches
As a best practice, this type of information should be obtained from all vendors even if not meeting these criteria.
Conduct Ongoing (Periodic) Due Diligence
Assign the appropriate supervisor to supervise work of the vendor to examine the following things:
- Is the vendor performing as promised?
- Have contract provisions changed and need re-evaluation?
- Have there been changes in management, financial strength or legal matters?
- Is vendor keeping up with regulatory changes that you must abide by?
- Has there been bad press?
Todd Sakoda brings 20-plus years of experience in the financial services industry ranging from compliance and operations to business development and relationship management. His last 12 years has focused on independent registered investment advisory firms. Over his career, he has also worked with independent broker-dealer advisers and bank investment programs. He is a coach, along with John T. Carr, in the FPA Coaches Corner for Compliance, where this resource guide was first published.
John T. Carr represents financial services professionals to limit, defend and/or deflect liability in regulatory investigations, enforcement actions, arbitrations and court cases pending before Oregon Circuit Courts, Washington Superior Courts and the United States District Courts for the District of Oregon and the Western District of Washington. Carr is known as one of the preeminent legal advisers to financial advisers, having represented hundreds of industry clients over multiple decades. He is a coach, along with Todd Sakoda, in the FPA Coaches Corner for Compliance.