Outsourced Vendor Risk Management

What Is The New Rule?

In October 2022, the Securities and Exchange Commission (SEC) proposed a new rule that would require registered investment advisors (RIAs) to satisfy due diligence on vendor risk management and ongoing monitoring requirements for specific “covered functions and services” that they may consider outsourcing to new vendors and existing service providers.

The purpose of the new rule, set to be voted on shortly, is to further mitigate any exposure to RIAs and their clients against various threats, such as cyber security breaches, financial losses, reputational damage, compliance violations, and/or operational disruptions across the lifecycle of the vendor relationship.

The demand for investment management services continues to grow as client needs have become more complex in nature. As a result, advisers often turn to third-party service providers to assist with certain functions or services that are necessary to remain compliant with Federal securities laws.

Such covered procurement, onboarding, monitoring, and offboarding functions and services are loosely defined by the SEC as activities that are “necessary for the investment adviser to provide its investment advisory services in compliance with the Federal securities laws, and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.”

Covered functions include providing investment guidelines, portfolio management, and creating models related to investment advice, indexes, or trading services and/or software, according to the SEC.

The new proposal would require advisers to satisfy the following:

• Conduct due diligence on the level of risk involved before retaining a service provider that would be performing any of the functions or services described above.
• Conduct due diligence and monitoring for all third-party record keepers and secure reasonable assurances that the record keepers will meet certain standards.
• Maintain all records related to the new rule’s oversight obligations and report census-type information about the service providers covered under the proposed new rule.

Industry Perspectives Vary

Many have embraced the SEC’s proposal, anticipating data security issues will continue to increase globally and understanding that the SEC is looking to avoid a proverbial economic disaster trifecta: growing cyberattack and fraud sophistication, increased complexity of client investment needs, and the impact of global uncertainty.

The SEC argues that with 15,000 RIAs advising more than 60 million accounts with over $100 trillion in assets under management, the financial and reputational risk is very real.

But other subject matter experts are wholly against the idea of yet another regulation to adhere to, citing concerns over cost and lack of specificity in the proposal. The Investment Company Institute (ICI), for example, has called the proposed rule “unnecessary and flawed” with the following objections:

• The proposal is unnecessary because current laws already address the Commission’s cited concerns about the due diligence process as outlined above.
• The proposal lacks adequate substantiation and analysis.
• The definition of “covered function” is too vague.
• It is too prescriptive and will create duplicate costs.
• It will greatly disrupt advisory and fund operations.

What’s Ahead

Nevertheless, it appears inevitable that the new rule will pass and there is work to do to get prepared.

For organizations that have third-party risk management processes (TPRM) or a vendor risk management program (VRM) in place, it may be easier to comply with the proposed rule if you already conduct due diligence and monitoring as part of the supply chain vetting and assessment process.

But if any part of your existing process is not automated, you will experience a decline in the efficiency of your team. Analysts will need to shift more of their attention to the manual tasks needed to satisfy the requirements of the new rule, which means less time with clients.

Automating manual tasks and workflows will save time, increase accuracy and drive better reporting. You are better positioned to act, for example, on a service provider that is flagged for having poor or missing regulatory compliance controls in real-time.

For advisers without third-party risk management processes in place, there’s a lot more work ahead. Our advice remains the same: begin automating your vendor risk management processes and workflows. Avoid falling victim to thinking this can be managed by your team via disparate spreadsheets and Word docs without impact to client relations.

As you work toward identifying and documenting the nature and scope of the services your providers offer and assessing potential risks resulting from those service providers, consider how this data will be captured, organized, maintained, and reviewed.

For example, setting up vendor questionnaires to collect uniform responses from vendors and incorporating this into your due diligence workflow could be a game changer in terms of getting ahead of potential risks, spotting patterns, and flagging gaps in your compliance risk management.

How Can RIAs Move Forward?

Start now. Put data automation technologies in place that provide a single source of truth for all of your due diligence activities and meet your information security requirements. Think about the long-term sustainability of your vendor risk management process and consider all the data points and metrics needed from each vendor lifecycle as defined by the SEC. Look for any potential vendor risk exposure and detail how you will mitigate and manage it through your service level agreements and documentation requirements. Collect uniform data where applicable to streamline the process and look for opportunities to put your data to work for you and your stakeholders, rather than just collecting it. After all, the data you are collecting is valuable. You should take time to understand it and put it to good use.

Interested in learning more about how CENTRL is working with clients to prepare and implement full due diligence data automation for third-party vendor risk management? Let’s talk.