While many advisory firms are keenly attuned to identifying the investment risks associated with using underlying third-party managers, such as subadvisors, separate account managers, and hedge and private equity fund sponsors, operational due diligence has generally garnered less attention. Yet, this is an imperative that advisory firms cannot afford to overlook.
The SEC considers operational due diligence of such managers as a part of an advisor’s fiduciary duty owed to its clients. The failure to conduct proper operational due diligence could lead to regulatory or civil liability should a client’s assets or information be lost, stolen, or otherwise compromised. This article provides a blueprint for firms seeking to adopt a program for conducting operational due diligence on such managers and focuses on three critical “P’s”: personnel, processes and privacy controls.
What Is Operational Due Diligence?
There is not a uniform definition for operational due diligence. However, it is widely seen as an analysis of the non-investment related risks impacting a manager. Investment risk is the risk that actual investment returns will be lower than investors expect and an analysis of risks often focuses on a manager’s investment philosophy, process, methodology and strategy. On the other hand, operational risk is the risk that a manager’s operations will lead to investment losses, misappropriation of assets, and/or loss of client information. Such an analysis principally focuses on a manager’s personnel, supervisory structure, operating and compliance procedures, and other risk management resources.
The Basic Tools
Tools abound to assist investment advisors in conducting operational due diligence. However, the background of most operational due diligence programs is the due diligence questionnaire, which solicits responses from third-party managers about their business and operations. The due diligence questionnaire often accompanies a request for additional documents from the manager.
However, Ronald Reagan’s old adage, ”trust but verify,” is a fundamental tenet of operational due diligence. As such, to verify information and responses provided by a third-party manager, an investment adviser must utilize other tools. Online searches of a third-party manager’s website and social media pages, the review of its Form ADV on the Investment Adviser Public Disclosure website, and Google searches can reveal a great deal about a manager and even provide background information used to customize the due diligence questionnaire.
Increasingly, onsite visits of a manager are becoming more prevalent because some managers will only allow for certain sensitive information to be reviewed onsite. However, onsite visits also allow an advisor to interview the manager’s employees and to observe a manager’s operational processes and risk management systems at work. Some advisors will ask to speak with a third-party manager’s service providers, such as custodians, auditors and fund administrators. These tools are designed not only to gather information about a manager, but also to ensure that such information is consistent with what the manager is saying.
Key Functional Areas
There is no one-size-fits-all approach as to what should be addressed when conducting operational due diligence because each manager is different. However, many types of issues surface time and again. In this article, we will focus on three principal topics: the manager’s personnel, processes and privacy controls.
It is critical to review a third-party manager’s personnel to ensure that they have appropriate integrity, experience, expertise, judgment, and familiarity with the manager’s operations to carry out the manager’s goals and mission.
Such a review will often begin with a review of the manager’s organizational chart which will provide a visual representation as to where the employees of a manager and any of its affiliates sit in the organization. The organizational chart allows for key personnel to be identified. Special attention is often given to ensuring that a manager’s chief compliance officer, and perhaps chief operating officer, has sufficient qualifications, experience and knowledge to carry out their responsibilities on behalf of the manager.
Operational due diligence often encompasses an evaluation of the manager’s key personnel. The operational due diligence questionnaire will often request information relating to key employee biographies and information as to a manager’s process, if any, for conducting background checks on key employees. Third-party managers are also often asked for the list of responsibilities and the length of employment for key employees. Additionally, information relating to compensation arrangements for key employees may also be requested to determine the likelihood of retaining them.
As to independent reviews, online searches of a manager’s website, the employee’s social media pages (including LinkedIn), and other websites can provide general background about an employee. If the employee is a registered representative of a broker-dealer or an investment adviser representative of an investment adviser, a review of the Web CRD system will provide information relating to an employee’s work history, disciplinary history and outside business activities. Such information can be used to determine how long the employee has been working for the manager, the depth and breadth of the employee’s work experience, whether the employee has previously engaged in misconduct, and whether the employee faces conflicts of interest that compromise his or her ability to perform his or her duties on behalf of the manager.
Reviews of certain private research databases can reveal information relating to an employee’s criminal and regulatory disciplinary history; whether the employee is the subject of past or present litigation; whether there are outstanding judgments against an employee; and whether the employee has previously declared bankruptcy. Such information can be used to evaluate an employee’s integrity and judgment and to determine whether there are any incentives for the employee to engage in misconduct while employed by the manager.
In addition to reviewing the backgrounds of key employees, it is also important to review a manager’s overall governance and supervisory structure. Among other things, a manager must have appropriate checks and balances to ensure that employees cannot engage in misconduct. For instance, a manager’s traders should not be responsible for trade reconciliation for the manager. Additionally, multiple employees should be required to sign off on wires or other fund transfers.
Reviews of a manager’s affiliates is also important as they may reveal conflicts of interest that can influence the decision-making of its personnel. For instance, if a manager has an affiliated broker-dealer, conflicts of interest must be properly vetted to ensure that clients are receiving best execution.
A critical component of the operational due diligence process is the review of a manager’s operating and compliance procedures, practices and risk management controls, which directly inform the level of operational risk faced by a manager. Some or all of the following documents are typically requested from a manager as part of such a review:
- Compliance, operations, trading, and other similar manuals;
- Code of ethics;
- Business continuity plan;
- Any compliance or operational risk assessments conducted by the manager;
- Any annual compliance reviews conducted by the manager;
- Documentation of compliance tests conducted by the manager; and
- Documentation of any third-party mock audits of the firm’s compliance program.
Information relating to some or all of the following topics is also often requested:
- Any compliance violations identified and any remedial or corrective actions taken;
- Any recent revisions to compliance policies and procedures;
- A description of any recent SEC or other regulatory examination of the firm;
- Any details relating to any regulatory sanctions levied against the manager; and
- Any complaints levied against the manager.
Because much of this information and documentation is confidential, managers may insist either on providing only summaries of such information or only allowing an investment adviser to review such documents during an onsite visit. While this article does not permit an in-depth review of each issue to be analyzed when reviewing such documents, the following list identifies some key issues that are often considered:
- Conflicts of interest (to ensure that they are properly identified, disclosed, and managed);
- Trading (including an evaluation of a manager’s investment guideline and restriction monitoring, best execution reviews, trade aggregation and allocation practices, trade error detection and correction practices, principal and cross trading practices, etc.);
- Custodial practices;
- Brokerage practices (including any use of soft dollars or receipt of other benefits);
- Insider trading controls (including the use of any information barriers, restricted, watch or gray lists);
- Proxy voting practices;
- Expense allocation practices;
- Valuation practices (particularly with respect to hard-to-value, illiquid investments); and
- Wire and fund transfer practices.
It is also advisable to query the manager as to the type and depth of training provided to employees with respect to their compliance responsibilities. Onsite interviews of employees can verify whether they understand the firm’s procedures and practices.
Because the protection of client data is such a pressing issue, it has become one of the highest priority focus areas for operational due diligence programs in recent years. Such a review will typically touch on many of the areas highlighted above. For instance, questions can arise as to the experience and qualifications of the manager’s Chief Information Security Officer and technology team members in detecting and preventing cybersecurity attacks. Advisors may request to see documentation relating to any cybersecurity risk assessments, the firm’s cybersecurity policies and procedures, the results of any internal tests and/or vulnerability/penetration tests conducted by third parties, and the firm’s cybersecurity incident response plan. Invariably, managers will be asked whether they have experienced any data breaches and, if so, what was the nature of the breach; what was the extent of the damage; what remedial measures were taken; and what improvements were made to the firm’s systems to address any system vulnerabilities. The following represent some issues that are likely to be addressed:
- The controls designed to restrict employee access to information;
- The firm’s approach to the encryption of data;
- The tools utilized to prevent data theft;
- The controls designed to protect data accessed from remote locations;
- Any cybersecurity due diligence conducted on the vendors used by the manager;
- The breadth and depth of cybersecurity training provided to employees; and
- The practices related to document destruction.
Onsite visits may prove particularly helpful to corroborate the information by the manager as well as to view the operation of the physical and technical safeguards utilized by the manager to protect client data. Such visits may also afford the opportunity to ask employees questions to evaluate their familiarity with the manager’s cybersecurity risk controls.
Separately, managers may receive requests as to whether the firm has cybersecurity insurance, and, if so, what type (e.g., first-party versus third-party) and amount of coverage has been obtained.
While operational due diligence does not guarantee that an advisor can avoid having to face any operational failures experienced by its underlying managers, such efforts go a long way towards demonstrating that the advisor has fulfilled its fiduciary duty to its clients in conducting proper due diligence.
— Check out How to Address Diminished Capacity and Financial Exploitation on ThinkAdvisor.
Richard Chen is an investment management attorney who has been practicing for nearly two decades with several top multinational law firms and a leading compliance consulting firm. He now runs his own law firm practice, which serves independent wealth managers, hedge and private equity fund sponsors, financial planners, and other financial institutions. He can be reached at firstname.lastname@example.org.