In 2009, the SEC stated at its CCOutreach Program that “when a service provider is utilized, the adviser still retains its fiduciary responsibilities for the delegated services.” This philosophy is as true today as it was 10-plus years ago. Therefore, the question becomes how do you establish a due diligence oversight program for your firm’s service providers that assists with building effective partnerships?
Here is a 5-step program to get you started:
1. Identify who your service providers are. The easiest and most comprehensive way to do this is to follow the money. Ask your accounting group for a list of third parties that the firm has compensated in the last 12 months.
- Distinguish service providers from vendors. Service providers are businesses or individuals that contract with your firm to fulfill a function or functions that would otherwise be done by in-house personnel. Think of a service provider as an extension of your staff. Vendors, on the other hand, generally supply a product, application or system used by the firm to manage information or conduct a specific task. Accomplishing the task is done by in-house personnel.
2. Assess the risks associated with the functions performed by each service provider. Risk can be measured in various ways. The question to ask is what impact a service provider’s failure to fulfill its responsibilities will have on your firm and/or clients. The impact can be financial, operational, regulatory and reputational or, most often, a combination of risks.
- Service provider risk assessments assist with determining your significant service providers. They also aid in identifying the activities for which a service provider is responsible. Reviewing service level agreements as part of an assessment helps to clearly define risk levels and the firm’s potential exposure.
- Consider the ability to replace a service provider if necessary. Service providers who would be difficult to replace because of the complexity of the relationship or lack of competition carry a higher risk than those that can be easily replaced.
3. Determine who owns the service provider relationship. The compliance group may be responsible for the administration, but they are not necessarily responsible for overseeing each service provider’s activities on behalf of the firm. As compliance is everyone’s responsibility, so is service provider due diligence.
- There are options when assigning responsibility for oversight of a service provider relationship. Some firms may decide that the responsibility for overseeing a service provider relationship belongs to the business unit that interacts with service provider most often. Other firms prefer to insert a level of independence in the process and assign responsibility to a committee or risk function. The process that works best for your firm is the right approach. What is important is that each relationship has an “owner” responsible for confirming the firm’s oversight process is followed.
4. Develop a process for conducting due diligence reviews. The scope of a due diligence review can vary in many ways. However, firms should establish a standardized process for overseeing service providers. The process should include:
- Criteria for an initial assessment of a proposed service provider
- Means by which a service provider is approved (consider the roles of legal, finance, compliance and information technology in the approval process)
- Development of a review schedule which includes the frequency and types of reviews
- Periodic assessment of the service provider
- Escalation of breaches of the service level agreement or issue with the service provider
- Retention of records of reviews
- How the program is administered and by whom
- Reviews of service providers can take many forms. A “one size fits all” approach rarely works. Consider the most appropriate way to gather information and oversee each service provider. Assessing a service provider can be done through certifications/attestations, due diligence questionnaires, service providers website, client portals, onsite meetings or any combination of these tools.
- Consider a variety of factors. Most obvious is to evaluate the quality of the services provided and whether the service provider meets its obligations under the contract and/or service level agreement (SLA). Also consider factors that may impact the service provider’s ability to deliver in the future, including changes in staff or management, a sudden increase or decrease in clients or changes to the business structure.
5. Retain records of the periodic reviews conducted for each service provider. We all know that unless you can demonstrate your oversight and controls pertaining to a particular function, the regulators will not give you “credit” for having such controls. One of the most important aspects of a service provider oversight program is, like the review process, developing a consistent standard for maintaining records of service provider reviews.
- Don’t rely on a service provider’s website to obtain historical materials. Service providers are accustomed to responding to due diligence review requests. To facilitate responding to such requests, many service providers post responsive materials in the client portal of their websites. This allows clients to access the information when needed and to tailor or limit other due diligence requests to specific questions pertaining to the services that are being provided. If you are relying on materials available through the client portal to support your reviews, be sure to download them to your firm’s network in a designated location or folder. They may not be available through the portal when you need them for a regulatory exam or compliance testing.
- Consider information related to their service performance. If, for example, your operations team has a monthly update meeting with the service provider, retain any materials, report cards, etc. as part of your due diligence file. Also be sure to document key event that occur as part of the relationship, such as errors made by the service provider.
While the service provider due diligence process is straightforward, it does require resources. Consider whether engaging a third party to assist with conducting initial and ongoing oversight reviews of your firm’s service provider would ensure that reviews are done in a timely manner and increase the depth of the reviews. Third parties can bring broader experiences and an understanding of industry practices to the reviews. If you would like to consider third-party assistance further, please contact CSS Compliance Services at email@example.com.
Subscribe to CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.