Registered investment advisers (“RIAs”) and their employees are fiduciaries to their clients. As such, they are tasked with ensuring that the services being provided to clients are appropriate and in their best interest. The Securities and Exchange Commission (“SEC”) describes this fiduciary standard as follows:
“An adviser’s fiduciary duty means the adviser must, at all times, serve the best interest of its client and not subordinate its client’s interest to its own. In other words, the investment adviser cannot place its own interests ahead of the interests of its client. This combination of care and loyalty obligations has been characterized as requiring the investment adviser to act in the ‘best interest’ of its client at all times. In our view, an investment adviser’s obligation to act in the best interest of its client is an overarching principle that encompasses both the duty of care and the duty of loyalty.”
With this duty comes numerous obligations, including but not limited to, performing due diligence on third party vendors (“Service Providers”) used to provide certain services to clients.
In this Risk Management Update, we discuss a firm’s regulatory requirements pertaining to due diligence, the key types of service providers that should be reviewed, important steps to take, and additional considerations that apply in times of significant business disruptions, such as Pandemics.
SEC Requirements for RIAs
Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended (the “Advisers Act”), requires RIAs to adopt written policies and procedures that address applicable federal securities laws and the firm’s business practices, and are reasonably designed to prevent violations.
Importantly, the due diligence performed should be adequate to ensure that any duties outsourced to Service Providers are being conducted in accordance with applicable state and federal laws and regulations and in line with contractual obligations.
Types of Service Providers to Review
RIAs work with a variety of Service Providers to assist them with servicing their clients. Some key types include:
- Third party advisers/sub-advisers
- Proxy Vendors
- Accounting Firms
- IT Providers
The above list is not exhaustive and the types of Service Providers that an RIA should review will depend on the firm’s business practices and the services being provided to clients. For example, an RIA that is recommending unaffiliated private funds to their clients would need to perform due diligence on the issuer of the private fund, along with the main Service Providers to the fund (e.g., general partners, administrators, custodians, auditors etc.)
Important Due Diligence Steps
There are several important steps to take when performing both initial and ongoing due diligence of Service Providers. Below is a list of the core steps that would apply to all types of Service Providers, but additional steps would be necessary depending on the type of Service Provider.
Step 1: Gather appropriate information about the Service Provider, including but not limited to:
- History/background information about the firm
- Qualifications and tenure of firm key personnel
- Insurance coverage
- Any recent or pending litigation, regulatory inquiries/exams, and/or client complaints
- Material conflicts of interest
- Client references
Step 2: Obtain and review the following main documents (as applicable):
- Policies and procedures covering business practices
- Business Continuity Plan
- Cybersecurity and Incident Response Plan
- Privacy Notice
- Audited Financials
- Service Organization Control (SOC) Report
- Applicable regulatory filings
Step 3: Interview Executive Management and other key personnel.
Step 4: Perform on-site visit.
Step 5: Follow up on any issues found.
All due diligence reviews should be documented and maintained with all data gathered in a designated file for each Service Provider.
Additional Considerations During Significant Business Disruptions
The importance of performing vendor due diligence has been underscored by the recent COVID-19 pandemic. Given the significant interruptions that have affected all types of businesses due to COVID-19, it is extremely important for RIAs to contact their Service Providers to ensure that they can adequately continue to provide services. Focus on applicable areas, such as: (i) business continuity plans, (ii) privacy and cybersecurity protocols pertaining to personnel working remotely, (iii) supervision of remote personnel, (iv) current material changes to business practices and any anticipated changes for the reminder of the year, and (v) potential effects to Service Provider financial stability.
Ask specific questions covering each of the above noted areas in order to obtain a reasonable belief that the Service Provider has and can continue providing services without material disruption. Based on the results of the due diligence review, determine whether follow up reviews should be scheduled for the next term to confirm continued ability to perform services.
The COVID-19 pandemic has the whole world in uncharted territory. The landscape of the financial industry has changed, and the potential fallout is still unknown. As mentioned, due diligence reviews fall under a RIA’s fiduciary duty. However, in times like these it is extremely critical for RIAs to focus additional time and resources on performing due diligence on their Service Providers to ensure continuity of services.
Author: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 Commission Interpretation Regarding Standard of Conduct for Investment Advisers, Investment Advisers Act Rel. No. 5248 (June 5, 2019)
 An agreement should be entered into with each Service Provider that outlines, among other things, the services to be provided and includes detailed confidentiality clauses.
 For example, for broker-dealer Service Providers, an independent check via FINRA’s website should be performed on the firm and its key registered personnel to determine if registrations are current and whether there are any material disciplinary issues.
 This step should be taken initially, but also will depend on the type of Service Provider and location.
 This should be documented and include a summary of the issues and how they were resolved.