A couple of weeks ago, Jessica Rogers of DLA spoke on the topic of SEC due diligence demands for service providers at a webinar co hosted by MyComplianceOffice and DLA. You can view a recording of the webinar and download the slides here.
During the webinar and in the time that followed the event, Jessica received a number of follow up questions that primarily centered on the practical question of, “So now that I know what I’m supposed to do, how do I overcome the hurdles to actually get this process off the ground?” In this three part series Jessica will break this question down and address the three most common obstacles that her clients encounter when they first try implementing a critical service provider review program.
Hurdle 3) - Selecting the Right Vendors
Selecting the Right Vendors – If your firm has not been doing any type of vendor due diligence program prior to this point, it can be confusing deciding where to start. This is where it is important to go back to the risk assessment of the firm’s business as well as its size and resources. We would generally recommend taking on two to four vendor reviews per year for the average small and medium sized firms. The SEC has focused on advisers’ exposure to technology in particular when discussing vendor due diligence (with respect to both technology failures and data breaches), so we would recommend factoring this into your selection process. Your information technology service provider should be considered, as well as any areas where your firm relies heavily on technology, such as for pricing or trade execution. Second, you should consider the vendors that have the most impact on the safety of client funds and assets and that have the most exposure from a fee and expense perspective. This would likely be custodians, administrators, and brokers. Continue working through the process of listing all the firm’s vendors and determining the risk exposure they present, as well as any significant mitigating factors, such as having a ready alternative or backup to the provider, until you have risk-weighted all of your critical service providers. Those that pose the most risk exposure should be reviewed first, as well as the most frequently (e.g. annually). Those that pose less risk can be on a longer review cycle of 2-3 years. If anything negative comes up as part of this review process, such as identifying any gaps in controls or data breeches that might have an impact on the adviser, the vendor should be placed on a more frequent review cycle.
This is the final post in our three-part series titled “Overcoming the Vendor Due Diligence Hurdles". We will be conducting more similar series in the future. Subscribe to our blog to stay notified.
Content written by: Jessica Rogers of DLA
DLA provides internal audit, forensic accounting, litigation support, compliance and advisory services to over 200 public and private companies in a wide-variety of industries. The compliance team has in-depth experience with financial firms, including broker-dealers, registered investment advisors, hedge funds and private equity funds. Our scope of services range from developing and implementing compliance programs, risk assessment and testing, including annual reviews and mock audits to ongoing advisory and monitoring.
Click to download your free copy of our white paper "Framework for a Third Party Risk Management Program"