About our Contributors
ICS Group is a regulatory compliance consulting firm specializing in providing compliance support to the financial services and insurance industries. We help our clients comply with regulatory requirements and industry standards. Our clients include: registered investment advisers, private equity funds, hedge funds, mutual funds, broker-dealers, insurance companies and state pension plans. Our team of highly experienced compliance professionals know from first-hand experience what regulators are looking for, the industry standards that apply, and how to develop and implement cost-effective business-oriented solutions.
Financial services firms are increasingly contracting with third-party service providers to perform activities related to their business functions and regulatory responsibilities. Acknowledging this trend, regulators have made it clear that outsourcing an activity or function does not relieve firms of their ultimate responsibility for compliance with all applicable securities laws and regulations. Firms are at risk from the intentional or inadvertent wrongful acts of their third-party business partners, whether it be regulatory risk or reputational damage incurred by association with a third-party. As such, firms should have an effective third-party risk management program which includes an effective due diligence process to detect and evaluate risks.
Third-party due diligence has become the expectation of key stakeholders in most organizations. Organizations may be held accountable by regulators for errors, negligence or acts of corruption by their third-party vendors such as agents, custodians, auditors, suppliers, distributors, joint-venture partners, or any individual or entity that has some form of business relationship with the firm. Therefore, before entering into relationships with third-party service providers, firms should ensure that potential risks from these relationships are responsibly evaluated and managed. This entails conducting a thorough risk-based due diligence analysis.
A formalized third-party due diligence program can protect against reputational harm or headline risk, and better defend against investor litigation or regulatory action in the event of errors or losses. Having a documented process and adhering to that process can provide a clear factual defense in legal disputes or regulatory proceedings. In fact, conducting adequate due diligence may help organizations decrease, and under some international laws, even avoid the risk of criminal culpability for corrupt third-party conduct.
1. Define the scope of vendor risk.
Define the risk to your organization and find the appropriate level of due diligence for each entity. Involve appropriate representatives from the business, legal, compliance, risk management, and technology teams. The appropriate amount of due diligence should be guided by the results of a risk assessment process that rates third-parties as either high-, medium- or low-risk. The level of risk will ultimately determine the amount of due diligence that needs to be performed with high-risk third-parties subject to a more extensive due diligence process.
2. Know Your Vendors (KYV): Initial Due Diligence Assessment.
An essential requirement of third-party due diligence is to know your business partners and counter-parties.
3. Monitor the Process: Ongoing Due Diligence.
Ongoing due diligence should be performed consistently and at a level that matches the risk of the relationship.
A sound due diligence program should be designed to balance the benefits of outsourcing with the risk of liability through third-party service providers.
ICSGroup’s due diligence practice group includes third-party service provider due diligence. Whether your firm is onboarding a new vendor or monitoring risks with an existing vendor, ICSGroup can help your firm manage business risks through the implementation of effective due diligence processes that will satisfy the regulatory requirement to know your vendors.