Are You Keeping an Eye on Your Service Providers?

Many RIAs use third-party research and sub-advisory services providers to support their investment platforms. While RIAs typically excel at identifying competitive service providers, they may fail to implement robust operational due diligence (ODD) programs to review how these firms manage their own operational risks.

An effective ODD program takes a close look at the service provider’s business, compliance and operational risks to identify red flags.

Why Conduct Due Diligence?

Maintaining an effective service provider due diligence program is essential. In accordance with guidance from the Securities and Exchange Commission and the states, RIAs owe a fiduciary duty to clients to act in their best interest. This duty obligates firms to perform due diligence on service providers providing certain services that support advisory clients.

While such services can be delegated, RIAs must still oversee them. RIAs that fail to establish sufficient oversight programs risk violating regulatory requirements. That is, the SEC may assert that the firm has insufficient procedures to address service provider oversight.

A robust ODD program provides more oversight, helping you avoid potential civil and regulatory liability, in addition to reputational harm.

Effective ODD programs

There is no singular approach to service provider ODD. Firms should implement comprehensive written due diligence procedures that are consistently applied to service provider analyses. Several reviews can be conducted for an effective ODD program. Many firms adopt a risk-based approach focusing on the service provider’s personnel, size and structure, and investment strategies. Firms typically employ due diligence questionnaires to gather this information. Documenting sufficient due diligence is a key ODD program component.

RIA firms often review publicly available disclosure information, including the service provider’s Form ADV documentation and FINRA reports, to identify significant background items (where the service provider is a registered entity). This documentation provides invaluable information on key personnel, including disciplinary history (criminal, regulatory or financial disclosure), employee experience level, and outside activities. Regulatory disclosures may signal red flags regarding the integrity and judgment of a service provider’s employees. Client references and Google searches also are useful.

A thorough ODD program includes a review of service provider risk management documentation, including:

• A compliance manual covering its advisory business practice (and reflecting the compliance culture).
• Business continuity plans and insurance coverage.
• Cybersecurity policies.
• Operational procedures pertaining to research development and key operational functions.

Consider also:

• Has the service provider addressed deficiencies noted in mock exams or compliance reviews?
• Can they furnish any regulatory examination findings, including how such findings were remediated?
• Have they documented internal compliance violations and how such violations were addressed to avoid reoccurrence?

Some service providers may decline to offer specific documentation on these sensitive items, in which case the ODD team may alternatively request a summary of material issues and remediation.

Periodic onsite visits can provide access to additional investment staff and further insight on daily operations, including identification of control gaps. An appropriately experienced ODD team should always interview key service and investment personnel.

Periodic service provider due diligence questionnaires, along with updated public disclosure reviews, support testing of ongoing due diligence. Ask the provider about any significant organizational or functional changes impacting service quality. Consider also whether due diligence reviews reveal any conflicts of interest with the service provider.

Thomas D. Giachetti is chairman of the Investment Management and Securities Practice Group of Stark & Stark. He can be reached at tgiachetti@stark-stark.com.