SEC Due Diligence Demands -

Vendor Due Diligence & Questionnaires

Vendor Due Diligence & Questionnaires

The SEC requires that you conduct due diligence on your service providers to protect yourself from exposure to risk and your organization from potential regulatory fines. This webinar was hosted with Jessica Ruby of David Landau & Associates, LLC on Oct 27th.

 You can download a full copy of the slides from this webinar.


Full video transcript available below:

Okay. We recommend the use of due diligence questionnaires in order to complete this process. They are a great tool for collecting and tracking information, and can also be stored in MyComplianceOffice, as well. The questionnaires should be completed by the service providers and should include such things as, a review of periodic compliance reports or certificates, internal controls, like the SSAE 16, which discusses technology controls, among other things, and audited financial statements. A privacy policy, and control around client confidentiality. Identification of key employees associated with the account, and their qualifications, particularly if there have been any staffing changes, associated with the account in the last year.

You should also, in the questionnaires, ask for the service providers disaster recovery plan, and cybersecurity policy, and notification of any data breaches in the past year, that may have affected the advisor, or the advisors clients, the vendor should at least provide a summary, if they don't provide the actual policies. You should also ask for a description of any regulatory or legal issues over the last year, and identify any conflict of interest between the service provider and the advisor, or it's clients, and what policies the service provider has in place to prevent conflicts. As mentioned previously, some form of the above should be done on each service provider prior to entering into a contract with them, or if there is an existing relationship on an ongoing basis commensurate with the risk they posse to the adviser's business or it's clients. Next, slide.

In addition, we would also recommend designating a person at the adviser, responsible for following up on completed questionnaire. This often requires a personal call to the vendor to help facilitate the process, as well as reviewing all the documentation received, and conducting additional due diligence, as needed. Everything you receive needs to be reviewed, not just ticked off on a checklist. Also, particularly if there is anything uncovered, like their husband died of breaches, or any type of legal issues. Those are things you'd want to followup, and look into a little more. In addition, if the person cast with this assignment is not senior at the firm, you'll want to have the higher ups emphasize the importance of this review. Next, slide.

We also recommend as part of this process, having an internal questionnaire completed on the service provider. This should seek to confirm that there is not any material negative news, lawsuits, regulatory actions, or sanctions against the service provider from public available sources. This can best be determined if your firm has access to a screening tool such as World-Check, which is incorporated into MyComplianceOffice, or Complinet. Otherwise, you should at least do a simple Google check. You should also review the fees spent on the service provider compared with other competitors in the market to determine if the adviser's clients are getting the best value for their services. However, if you do discover that the service provider isn't necessarily the cheapest on the market, but they bring a certain level of experience or quality to the services they provide, this would be a great place to note that. Next, slide.

In addition, you should also seek to confirm internally, with the appropriate employees that the service provider is adequately meeting the needs of the adviser and its clients. In other words, if they are fulfilling the terms of their contract, their responsive to phone calls, emails, et cetera. You could also consider creating a performance scorecard for this. Also, note, here if there's any face to face contact between the advisor and the service provider, or how often you communicate with them. If this is a new relationship, we would recommend seeking two to four references, and including these in your vendor file. Also, make sure you note any other factors that were important in selecting this service provider, such as hiring a smaller firm instead of a big name client, because you'd be a more important client to them. This will be important when it comes time to review the service provider, again in the future, or to show regulators why you selected this particular service provider over others.

This webinar was co-hosted with DLA. To learn more visit 

Find out how MCO can help

Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation. 

Request a Demo



Download our four page Portfolio of Solutions to learn about;

  • Personal Trade Monitoring
  • Gifts & Entertainment
  • Political Contributions
  • Third Party vendor risk management
  • Trade surveillance
  • And more

Brochure Download