SEC Due Diligence Demands -

Q&A: Your Questions Answered

Q&A: Your Questions Answered

The SEC requires that you conduct due diligence on your service providers to protect yourself from exposure to risk and your organization from potential regulatory fines. This webinar was hosted with Jessica Ruby of David Landau & Associates, LLC on Oct 27th.

 You can download a full copy of the slides from this webinar.


Full video transcript available below:

Let me see, I have a question here, if you could give us an example in practical terms without breaching any confidentialities of kind of difficulties and the obstacles that firm's are facing in trying to implement these kinds of programs.
I would say, the number one obstacle is that while compliance personnel are understanding the importance of this review, there's always the challenge of getting senior management to understand the importance and when to spend the time, and investment on that. Number two, is also, I'd say the biggest challenge we see is getting the questionnaires, and the information back from these service providers. That's why we emphasize having that designated individual to do that, because it is going to take a lot of followup, and picking up the phone. Again, you have to use a risk based judgement, in terms of the firm of the type of pressure to apply. Whether that's saying, we're not going to renew the contract without this information, or take a softer approach than that. I would say, the followup and getting senior management on board are probably the two biggest obstacles we've seen.

Okay. Thank you. I have another question, here. Under brief, how should fees be checked? By conducting an RFP or is there a less attentive methods that you think is appropriate?

I would say, by calling around and getting quotes from other service providers, or even just reviewing the contracts and going back to them. We have had clients that when they include this process as part of their review, they have been able to negotiate it down, the price they're paying with the current service providers, so that they can keep the business going. I would definitely say, maybe not every year, but periodically going to the marketplace, and looking at other options, and getting other quotes.

Okay. Conducting an RSP is probably ...
Step too far.

Okay. Another question, here, that came in. Are there any particular service providers that are perceived to represent the greatest risk, and tend to be looked at more closely than others, or that are clients should be looking out for?

I'd say, definitely technology, is your biggest risk at your firm, internally. Looking at your IT service provider, as well as any type of, if you're using a pricing service, I'd say that particularly is important, and that came up, SEC spent a number of pages discussing that. Any type of, if you're using technology vendors, any type of software, too. Looking at those types of things, as well. I would definitely say anything in the technology and kind of pricing sphere would be particularly important.
Okay. I have another one, here. Is there any area that the SEC are likely to put, how much emphasis you think the SEC would like you to put on due diligence in this area in 2017?
We going to see more and more, obviously, you cannot say for sure in the next year, but this was a big component of the proposed rule making that came out in June. Obviously, we're still waiting to see how that's going to look in final form. It's something that they, whatever they release guidance that includes this they typically expect firm's to implement that guidance and recommendations. We probably are going to see it coming up in the future on a exams, when SEC staff is on site, more and more in the future.

Very good. Another question, here. What do you recommend should be in the annual report presented to the board, each year? I guess, probably important in terms of getting buy in and maturing tone from the top that is correct here on your end, and maybe even getting resources.
Yeah. In the annual report, I would note the SEC's recommendation, and guidance in this area, and I would demonstrate what the firm is currently doing, and what the propose the firm should be doing in the annual report that's discussed with senior management.

Okay. Another question, here. Is there a way to get notified, if a proposed rule gets confirmed, or inactive? I'm not sure [crosstalk 00:23:26].

Number one, used to be prescribed to the SEC's, they have a number of different, if you go on their website mailing list, and you want to make sure that you are on the one that's been noticed about rule making, and that type of thing. The other thing, too, if you work with compliance consultants like DLA, or you have a good relationship with counsel, lawyers and compliance consultants we typically send out blasts to notify our clients of these types of things, too. I'd say, get on list with us, with whoever your lawyer is, or outside consultant, as well as make sure your subscribed to the SEC press release list.

Very good. I have one more question. We have a lot of questions about the slide. The slides will be available to download early next week. We'll send everybody an email with the link on that, as well as the video of the slides with voiceover. If anybody has any more questions, please send them in, now. I have one last question that we've received. Jessica, what challenges do you meet when trying to get resources to deliver these programs? That's a daily question, for most professionals.

I'm sorry what ...

What challenges do you meet when trying to get resources to deliver these programs?Number one, is just in terms of challenges and delivering these programs. I'm not sure I totally understand, but i think it goes back to how the senior management understands that this an area of emphasis with the SEC, because it does take a lot of time to form these questionnaires, followup with vendors, review the documents, and put this together in a presentation at the end. Getting them on board with understanding the importance, that's the biggest challenge. That is key in getting someone to be able to delegate or designate that amount of time doing it.

Thank you. I have one more question, here. When dealing with a large custodian, is it acceptable to you that they have provided on their own website satisfied due diligence requirement?
Since this is becoming more common, if this custodian is getting these requests, and prepared for those reviews, and you're able to complete the questionnaire through information that they've posted on their website, and plus I would do an internal questionnaire, as well. I don't see a problem with that, if they have their business continuity plan posted, or disaster recovery plan, among other things, SSAE 16 report.


It will make your job easier.

There's a good one, here, actually, which is an [inaudible 00:26:43] that we see more development, or thinking around this, we're being honest, what are your thoughts on due diligence for vendors of our critical vendors, so the fourth-party more than just the third-party?
For vendors of the critical vendors, I think that is important to consider, and I think that's one of the reasons why, when you go out to these vendors, particularly, I would say, cyber, and disaster recovery is just, the SEC is just reminding us, again, and again, and again about the importance of that. That's why it is important to look at your vendors, their cyber, and disaster recovery plan, because that's the area where their probably most vulnerable, and where they are relying most likely on another vendor.

This webinar was co-hosted with DLA. To learn more visit

Find out how MCO can help

Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation. 

Request a Demo



Download our four page Portfolio of Solutions to learn about;

  • Personal Trade Monitoring
  • Gifts & Entertainment
  • Political Contributions
  • Third Party vendor risk management
  • Trade surveillance
  • And more

Brochure Download