Due diligence in the advisory world is like an onion: the more layers you peel back, the more it’s likely to stink. The goal, however, is to expose the stink and cook through it to satisfy both regulatory expectations and fiduciary obligations. But enough with bizarre food analogies… 

Much like a client performs due diligence on an investment advisor before handing over his or her life savings, an investment advisor is tasked with performing due diligence on the various service providers that the advisor has retained on the client’s behalf. Common targets of due diligence could be, for example, subadvisors, third-party money managers, custodians, executing broker-dealers, technology vendors or data aggregators. The list could easily go on, but is obviously specific to the business of the advisor.

All such third parties have the potential to directly or indirectly cause the clients harm (mismanage assets, go bankrupt, cause order-entry delays, fail to safeguard funds, expose non-public personal information, e.g.), which is why the regulators care. 

On the other hand, it’s impossible to perform due diligence on everyone and everything. Are advisors really expected to turn over every stone at the United States Postal Service if it delivers clients’ quarterly statements? No. The key, much like a compliance program in general, is to tailor a due diligence program to the specific advisory practice and the potential risk that each third-party service provider may pose to clients. There is no standard investigative recipe, but advisors should consider taking the following steps to begin constructing a suitable due diligence program:

  1. Identify existing third-party service providers that are material to the client relationship, either due to the sheer number of clients that the service provider touches, the assets it can control, or the risks it may pose to clients should they screw up. Future potential third-party service providers should be vetted ahead of time using the same or similar process.
  2. For each third-party service provider, consider what information would be helpful to know in order to give you comfort that your clients’ bests interest are being protected. Common areas of inquiry include disciplinary history, policies and procedures, disaster recovery preparedness, code of ethics violations, security protocols, etc. Deeper dives should be taken on the specific service that is being provided. Again, the list is far from exhaustive; however, the quality, not quantity, of information is what matters. 
  3. Consider how you would like to obtain the information of interest. Depending on the relationship, any combination of telephonic interviews, on-site visits, questionnaires, certifications/attestations or other document requests can help fulfil your need. If the third-party service provider is large enough, request an SSAE 16 / SOC-1 or other independent control report to take advantage of the heavy lifting done by an independent auditing firm. Don’t be surprised if a third-party service provider requests that you sign a non-disclosure agreement before sending anything. 
  4. Actually review the information received. Due diligence should not be performed for the sake of filling lonely file cabinets, but instead should be reviewed and followed-up on if there are gaps or red flags. 
  5. Consider setting up a free Google Alert for certain third-party service providers so you know when negative news is released that may impact your decision to retain a relationship with them. 
  6. Set a schedule that will dictate when the due diligence process should recur, either through sheer passage of time, when certain material events occur, or as your business needs change. 

All that being said, the due diligence process is not some sort of investigative utopia where everybody answers all requests in a timely fashion and freely shares all requested information. To even get a response at all can be like pulling teeth – especially for smaller advisors requesting information from industry behemoths.

The best advice I can give is be dogged, document everything and keep peeling that onion until you get what you need.