Ep.8 – Compliance Checklist for Success: Third Party Vendor Due Diligence

Intro (00:00):

This is Advisor Intelligence, the podcast for investment advisors and financial institutions. In each episode, attorneys from your investment management and securities team break down compliance, regulation and risk into practical insights that help you stay exam ready and ahead of what’s next. This podcast is brought to you by Stark & Stark.

Ron Minsky, Esq. (00:29):

Welcome to today’s edition of the Advisor Intelligence Podcast. My name is Ron Minsky. I’m an attorney with Stark & Stark. I’m here with my colleague, Steve Galleto and Jeffrey Lang. And today we’re going to be talking about vendor due diligence and due diligence on licensed professionals that you may work with. Some of the topics we’re going to touch on include the onboarding of a third party vendor, what type of due diligence needs to be done and ongoing supervision of third party vendors. So Jeff, why don’t you kick it off with talking about what we need to do to do our due diligence to onboard a new third party vendor.

Jeffrey Lang, Esq. (01:13):

So what we want to be thinking about in terms of vendor due diligence is first and foremost, is that vendor going to be one with which we share personal information of the clients? And that certainly brings it into focus in terms of the additional information we might want to get in terms of privacy policy. We want to get a privacy policy for everybody, but we want to be very, very careful in terms of firms that will receive sensitive information from us and what built in procedures, policies, and capabilities they have with respect to protecting that information and handling sensitive information to perform their tasks.

Stephen Galletto, Esq. (01:55):

So the first question is, well, why do I have to do this? Well, because you’re giving your client sensitive information to this vendor to be able to help service this relationship. It’s not necessarily a CPA or lawyer, damn lawyers, that you are putting contact and information in their hands. A CPA, maybe you’re providing copies of account statements or something like that, but it’s also your Redtails, it’s your Black Diamonds, it’s your Orion where all of this information flows over to these vendors. It’s stored there. They use the data and the information you provide to them in order to create reports that you then repurpose and provide to the clients. So this is all consistent with your privacy policy, which allows you to share this information in order to continue to service the client relationship. So you don’t need the client approval upfront, but you as a fiduciary are picking and choosing the vendors that you’re working with.

(02:48):

Again, you can pick and choose to provide client information with a CPA or an accountant or a damn lawyer and you should be mindful as to who these folks are. And I think the due diligence gets more interesting, interesting in a bad way when you’re looking at the professionals, the third party professionals that are going to be rendering additional services to your clients. But it’s also essential from a data privacy standpoint that when you’re engaging a large technology vendor to make sure that you’re going through and you’re getting that due diligence packet from those folks and you’re spending the time, you’re reviewing it, you’re making sure that you understand what they provided you and asking follow up questions if things just don’t actually make sense. So that’s why, right? Why? Because we’re fiduciaries and because we’re required to.

Jeffrey Lang, Esq. (03:31):

And I’ll just add to that list. A lot of times some of the more weightier reviews will be done on some of these big technology providers, but also this topic also lends itself to sub advisors or third party managers with whom you may have sensitive information. And we’ll talk about that more in a moment, but if you’re working with sub advisors and third party managers and you’re conducting due diligence, you have the whole separate element of their investment advisory practice. You may be also gathering due diligence information on their ADV, their regulatory filings, their policies and procedures of how they run their business, their performance, how they do what they do operationally. So depending upon the nature of the vendor that you’re looking at, it may shift a little bit the type of vendor information that you get. You’ll also want to, on a lighter level, for example, if you have a cleaning crew that you have a contract with, that’s a vendor.

(04:34):

That’s someone where obviously it’s not a direct data sharing situation like the ones we were talking about a moment ago, but are we dealing with a bonded insured crew? Do they have any background issues that we need to be aware of that we can find out through some background exploration or Googling? So it’s due diligence on a few different levels. It’s also going to be both initial due diligence and ongoing due diligence. So what does ongoing due diligence look like? Ongoing means that on at least a yearly basis, I’m going to be reviewing this due diligence information and gathering any new or revised information. If during the year there’s some kind of material event or situation that occurs with respect to the vendor that may cause me to revisit my due diligence exercise more frequently than they are.

Stephen Galletto, Esq. (05:25):

Like a data breach or something like that.

Jeffrey Lang, Esq. (05:26):

Yeah, data breach. Exactly.

Ron Minsky, Esq. (05:27):

It’s important also to remember that you’re not just dealing with that one third party vendor. You’re responsible for the due diligence on any sub vendors or subcontractors that that vendor may use. If you’re dealing with an IT vendor, let’s say, and that IT vendor farms out some of their responsibilities to another IT company, that sub vendor is also your responsibility now.

Jeffrey Lang, Esq. (06:00):

Yeah. And at the very least you want to be comfortable that to the extent that they’re using some form of sub vendor, have they conducted the appropriate due diligence and are you comfortable with your vendor’s process for reviewing this so that you’re comfortable that when they farm out to somebody, they’ve done their homework. They have the processes.

Stephen Galletto, Esq. (06:20):

You want that client data to be secure, right? You want that security and really the full understanding from that vendor, right? Exactly how sensitive the information that they’re holding is. And the industry that you work in as an investment advisor and the level of regulation and your duty as a fiduciary, what that ultimately means. That’s what you’re looking for out of your vendor.

Ron Minsky, Esq. (06:45):

Right. And we’ve talked a lot about data protection of data, protection of clients information. Other important things to look at are the history with these vendors. Do they have a history of following through on their agreements? Do they have a history of if you’re dealing with, say, licensed professionals, as Steve mentioned, the accountants, the attorneys, is there any disciplinary history there?

Jeffrey Lang, Esq. (07:12):

Is the license still in good standing?

Ron Minsky, Esq. (07:14):

Is the license in good standing. It’s very easy to obtain history on licensed professionals. So we want to look not just at data protection, we want to look at the performance history of a lot of these vendors.

Jeffrey Lang, Esq. (07:28):

One of the other things we’ve talked about having a due diligence folder relative to each vendor and I emphasized earlier, this is something that examiners are looking at. This is part of their examination module is to ask for and want to look at vendor information. One area that pops up occasionally that I’m running into in some of my exams is something to think about is firms will say, “Well, we acquired this other firm during the year, or this other advisor joined us during the year. We hired another investment advisor rep. This person uses a certain technology or that firm used a certain technology which they’ve brought into the fold now and is used in the firm. Make sure that that becomes part of your due diligence exercise. Another thing I see pop up, part of the due diligence folder is going to be the agreement that you enter into with the vendor.

(08:22):

That is part of the due diligence because that speaks to a lot of the attributes of how they run their business, how they do what they do, what their privacy is. A lot of that is laid out in the agreement. So you want to make sure that each due diligence folder contains the agreement that you have in place. If there have been any amendments or revisions to that agreement, make sure that they find their way into the folder as well. The examiners will invariably ask to see the agreement and expect it as part of the due diligence folder for that vendor.

Ron Minsky, Esq. (08:53):

I’m glad you brought up agreements, Jeff, because the vendor agreement is a critical piece to this. There are certain things that need to be in a vendor agreement for an investment advisor that may not need to be in a vendor agreement in other industries. We’re looking at things like certain reps and warranties that a vendor may need to make for us. We’re looking at whether that vendor recognizes the rules and regulations that an investment advisor is subject to that other industries may not be subject to.

Stephen Galletto, Esq. (09:29):

Well, we were talking in a previous podcast about the incident response plan that’s now required for investment advisors. For smaller investment advisors, SEC registered investment advisors with 1.5 billion in assets under management, the deadline speaking of June, for those firms that are over 1.5 billion, the deadline was in December. It’s imperative that we do our best to get some sort of provision in that agreement with that vendor that if there is some sort of data breach, they inform us as soon as possible. The investment advisors have a 72 hour reporting window for that as soon as they become aware of a data breach. So trying to get something like that worked into the agreement as part of the due diligence process as well.

Ron Minsky, Esq. (10:09):

Some other important parts of the agreement are business continuity. What happens if this particular vendor cannot fulfill their responsibility under the agreement? Do we have a plan B? Do we have a way to get our data back, whatever data we’ve shared with a vendor that has now breached the contract or maybe they’ve gone out of business? What happens to the data that we’ve shared with this vendor? What are the termination clauses that might be in this vendor agreement? There’s a number of things we need to look at when we are drafting or reviewing these vendor agreements.

Stephen Galletto, Esq. (10:48):

As an SEC registered investment advisor, you have a books and records requirement. If you’re leaning on a vendor, like a cloud service provider or something along those lines to be your primary repository for your books and records data, what happens if for whatever reason you terminate that relationship or they terminate the relationship? How do we get access to that information? How do we stay compliant based upon the vendor we chose to engage with? We need to have an exit strategy.

Jeffrey Lang, Esq. (11:15):

Exactly. Right. This pops up sometimes too with email. If you’re switching from email vendor A to email vendor B or something like that, what happens to all my old email? Do I have it? Do I have to pay to have it held on a platform somewhere? I’ve seen that pop up a few times.

Stephen Galletto, Esq. (11:34):

Right. And space is expensive. You learn that. Space

Jeffrey Lang, Esq. (11:37):

Is very expensive.

Stephen Galletto, Esq. (11:38):

You learn that very quick.

Ron Minsky, Esq. (11:40):

Jeff had talked about some of the ongoing responsibilities that we have with our due diligence with third party vendors. So we’ve talked a lot about what we need to do when we onboard a new third party vendor. Maybe we could talk a little bit about now about some of our ongoing responsibilities. What do we have to do on an annual basis to make sure that all of our vendors are compliant?

Stephen Galletto, Esq. (12:04):

Well, I think it really depends upon the type of vendor and what you’re using them for. To Jeff’s point, if you’re working with a sub-advisor as a vendor, you have access to that sub-advisor’s form ADV. That sub-advisor is responsible for reporting any incidents or complaints or regulatory issues. So you get at least that level of reporting or you should be able to rely upon that level of reporting on the form ADV part one. But if you’re dealing with a large service provider like AWS or some large platform like that, how are we going to be able to keep up with that? How are we going to get that information? We’re going to request the due diligence packet again, right? Hopefully, again, we’re dealing with a large vendor in this instance that’s going to get a SOC level one audit on a regular basis, possibly a SOC level two.

(12:53):

And you’re going to absorb that information as best as you possibly can. If you don’t understand how to read a SOC level one audit or SOC level two audit or what the difference is, maybe you’re not the best person to review the due diligence, right? Maybe we need to outsource that due diligence. Maybe we need to find somebody that’s knowledgeable about these things that can spot issues, spot concerns for us. Always thinking ahead, always thinking about what the next thing could possibly be. I think that’s why it’s important that these due diligence processes are in place where we’re going to ask for the information on an annual basis. We’re going to look for the differences. We’re going to ask questions about changes in the industry, changes in new service offerings. How about this? How about a long-term vendor you’ve used over a decade AI is hitting the marketplace and you’re getting access to an AI tool and you don’t even want it, right?

(13:42):

Here you go. Here’s your AI tool that you are now paying more money for but you didn’t want. It’s a whole new level of due diligence, right? Are we able to turn that AI tool off? Is it learning from the information that we’re putting into it, the questions we’re putting into it? Is it closed end where we pay for some level of enterprise level of authority or control over the data that we share with that AI tool that’s embedded in this vendor tool and we don’t have to worry quite so much. We still need to ask the questions. Even longstanding vendor relationships can change whether you ask for it or not. So we need to be mindful of these things.

Ron Minsky, Esq. (14:20):

And you mentioned books and records requirements, Steve. And a lot of these AI tools create a whole host of new books and records

Stephen Galletto, Esq. (14:27):

Requirements

Ron Minsky, Esq. (14:28):

For us and the data’s still out on what books and records requirements investment advisors are going to have as far as AI goes. But that’s an important consideration that we’re going to have to look at is if AI tools are being forced upon us or offered to us, what new books and records requirements is this going to open us up to?

Stephen Galletto, Esq. (14:52):

And is there something we can do within that vendor agreement to possibly mitigate that?

Ron Minsky, Esq. (14:58):

Right.

Stephen Galletto, Esq. (14:58):

Right.

Ron Minsky, Esq. (14:59):

And since we’re mentioning books and records requirements, this is a good segue into what our responsibilities are as an investment advisor for putting these into our policies and procedures and educating and training all of our reps and employees on third party vendor due diligence.

Stephen Galletto, Esq. (15:20):

Well, I think the important thing there is tying it into your business continuity plan. If we have an outage, if we have a service provider that is unreliable, to an extent that we need a secondary, what is that secondary going to be? These days, I’m not seeing a secondary option for a lot of investment advisors when I’m looking at their business continuity plan when it comes to, well, we rely upon this cloud service provider to host our systems, right? This is where we store all of our information. There really is no secondary if there’s an outage and knock on, I think this is wood so far I haven’t run into any real issues with the clients that I service with those types of outages, but it doesn’t mean that a large provider can’t be subject to ransomware and they don’t want to pay the ransom and whatever denomination of Bitcoin it is today.

(16:09):

We need to be able to pivot. I’ve had clients that get fed up with the vendors and the stonewalling and the nonsense that they have to put up with and they decide that they’re going to pick up and move and they decide that before they really figure out where they’re going to go. It takes a lot to move from one platform to another depending upon how reliant upon that platform you are and it can cost quite a bit. Making sure that everyone understands the level of commitment before entering into one of these vendor agreements, I think the better off you are. Jeff, have you had any incidents with a vendor where it caused a critical service issue for your client?

Jeffrey Lang, Esq. (16:51):

Mainly just in the context of call it the recurring theme of, I have your checklist, I asked for these items, they say they don’t have them or they say if there’s six or nine things on the list, they have three and I say to them, “Well, there’s going to be times where you don’t get everything from everybody and there may be times where they don’t have all the things that we’re requesting.” So first thing we want to establish is have we obtained from them everything that they actually can give us in terms of what we’re seeking? And if they have given us that, then we’re documenting, well, we asked for X, Y, and Z, but they simply don’t have

Stephen Galletto, Esq. (17:31):

Them.

Jeffrey Lang, Esq. (17:32):

So our diligence is based on the information that we have.

Stephen Galletto, Esq. (17:35):

And you have to determine whether or not the relationship is one where the fact that they don’t have all of the information you’re looking for to do your regular due diligence is reasonable. If you’re dealing with a large industry service provider and they don’t have a due diligence packet at the ready that they can just email over to you, that’s a problem.

Jeffrey Lang, Esq. (17:54):

Right. I would say it is the norm now that very much so that folks that are in the advisory industry that are known to be advisor providers have these things at the ready.

Stephen Galletto, Esq. (18:06):

It’s part of every SEC exam. This is an important thing. You can’t just onboard a vendor and be done with it. It needs to be a continual thing. You need to have a process. You need to spend the time. You need to ask the questions. You need to have the documentation. Vendor due diligence is certainly going to be something the SEC is going to ask you for and it’s not something you guys can really ignore. I want to thank Jeff and Ron for getting an excellent conversation and discussion. And if there are any podcast listeners out there that have any follow-up questions, feel free to send an email and over to either one of us. We’d be happy to discuss with you before.

Intro (18:44):

The Advisor Intelligence Podcast provides general information and commentary only. The content is not legal advice, nor does it create an attorney-client relationship. For more information about Stark & Stark services, please visit our website at stark-stark.com.