The Securities and Exchange Commission (SEC) requires investment advisers to meet certain due diligence requirements before hiring a service provider to perform specific investment advisory services or functions. It’s imperative that RIAs establish and maintain robust vendor due diligence and oversight programs—both at the initial onboarding stage and on an ongoing basis. In their 2025 examination priorities[1], along with policies and procedures, internal controls, and governance practices, the SEC highlighted oversight of third-party vendors among its areas of focus for RICs and Market Participants, and RIAs would be well-advised to consider this an area of focus as well.
It’s also important to consider that investment advisers who outsource certain covered functions that are essential to complying with securities laws and whose failure or improper execution could significantly harm clients—remain responsible for ensuring those functions are properly performed. These functions include, for example, investment research, portfolio management, investment advice-related models, trading services, recordkeeping, IT services, and technology and software. While outsourcing can be beneficial for investment advisers and their clients, it can also cause harm to clients if the firm outsources a function or service without proper oversight.
Below are several reasons why having a well-defined and structured due diligence process for third-party vendors that you work with is incredibly important for your firm.
- Rule 206(4)-7 (Compliance Rule)[2]: Requires RIAs to adopt and implement policies and procedures reasonably designed to prevent violations of the Advisers Act. This includes managing risks associated with outsourcing. Firms have a responsibility to comply with regulations and using vendors that do not meet regulatory requirements can expose the firm to legal and financial risks.
- Regulation S-P and Cybersecurity Risk Alerts[3]: Emphasize the need to evaluate a vendor’s access to sensitive client data and the controls they use to safeguard the same. Firms handle sensitive client information and data, and it is important to ensure that third-party vendors have sufficient information security measures in place to protect this data. Using third-party vendors that do not meet industry standards or that have a history of security breaches can harm clients and damage the firm’s reputation.
- Vendor Stability: Conducting due diligence on third-party vendors can help the firm assess, among other things, the vendor’s financial stability and long-term viability. This is important because the firm will be relying on the vendor to provide ongoing support and maintenance for their products or services.
There is no question that in recent years technology has become a deeply embedded and fundamental part of financial services and wealth management firms. It’s no longer just a nice-to-have, but can be an essential component of any firm’s overall value offering and its day-to-day operations. Although this is not a comprehensive list of due diligence questions for evaluating third-party vendors, it should be considered as a starting point to help your firm better understand the types of questions and areas you need to consider.
Data Protection and Security
One of the most critical areas of assessment when undergoing the due diligence process with a third-party vendor is data protection and data security. Any technology vendor and/or document management solution that will be in possession of clients’ personally identifiable information should prove the steps they take to ensure the safety of such data.
The easiest and most effective way to ask for this proof is to request a SOC 2 Report. This is incredibly important to showcase and demonstrate to clients and regulators that you take the security of client data seriously and you have examined all vendors’ processes and procedures related to data security.
Remember, your firm can have the tightest cybersecurity measures in place, but you are only as strong as your weakest link – it’s always in your best interest to confirm that the technology provider you select is one that becomes a trusted partner; by your firm, by your clients, and by regulators.
If any vendor you are deciding to work with refuses to provide a copy of its SOC 2 report or takes their time in providing you with this proof, this could be a potential “red flag” and likely means you should evaluate carefully.
Information and Data Ownership
To ensure smooth transitions and avoid potential problems in the future, it is important to get a clear understanding of the ownership and transferability of client data on a technology vendor’s platform before signing a contract with them. Specifically, you should confirm whether or not you will be able to take your data with you if the contract expires. If the process for transferring data to and from another vendor is unclear or difficult, you may want to consider alternative solutions.
Organization Size and Depth
For small RIAs with 10-20 team members, outsourcing key functions can be a useful way to manage “key man risk”, where the departure of an important employee could disrupt the business. However, this strategy is only effective if the vendor has a team of skilled professionals who are familiar with your firm and can support your business on an ongoing basis. If you are relying on a single contractor, you are not fully mitigating key man risk. It is important to consider the size and stability of the vendor’s service team to ensure that they will be able to support your needs for the duration of your partnership.
Contract (Re)Assignability
When evaluating potential vendors, it is important for RIAs to consider the assignability of the contract in the event of a merger or acquisition. In the event that your RIA is acquired by a larger organization, you will want to ensure that there is a clear process in place for transferring the vendor contract to the new owner. This will help to ensure a smooth transition and prevent any disruption of service. It is advisable to clarify this process early in negotiations with the vendor to avoid any issues in the future.
Integrations with Other Technology
In the wealth management and financial services industry, it is essential for vendors to offer seamless integrations with other systems. When a vendor claims that their system can integrate with your existing technology stack and other third-party solutions, it is important to understand exactly what this means.
Is data able to flow smoothly between systems in both directions, or are there limitations on the flow of data? Before signing a contract with a vendor, it is crucial to consider the importance of integration with other components of your front and back office and to clarify any questions about integration to ensure that the vendor’s system meets your needs.
Other Considerations
When conducting your due diligence, it’s important to keep in mind the Books and Records Rule (Rule 204-2).[4] Firms are required to maintain accurate and thorough records of their due diligence process for third-party vendors. A secure, cloud-based digital document vault for archiving vendor records is recommended, including SOC 2 reports amongst other critical types of documentation. Investment advisers need to retain a copy of all third-party vendor agreements to ensure compliance and have it readily available for regulatory bodies like the SEC.
Final Thoughts
Vendor and third-party oversight is not a “set it and forget it” exercise. Fortunately, RIAs have access to a wide range of resources and providers to support your advisory business.[5]
Core Compliance can assist with all compliance related needs, including initial and ongoing third-party vendor due diligence, to help ensure adherence to regulatory requirements. We can take care of compliance, which gives you the time to focus on providing clients with the best level of service possible.
Author: Apryl Thompson, Compliance Consultant; Editor: Maggie Tavares, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] See FY2025 Division of Examinations Examination Priorities
2] See SEC.gov | Compliance Programs of Investment Companies and Investment Advisers
3] See SEC.gov | Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
4] See eCFR :: 17 CFR 275.204-2 — Books and records to be maintained by investment advisers.
5] See Vendor Roundup: Tools & Services for Success in 2025 – Core Compliance