Managing Vendor Risks: Implementing an Effective Third-Party Due Diligence Program – Part 1 of a 3-Part Series

About our Contributors
ICS Group is a regulatory compliance consulting firm specializing in providing compliance support to the financial services and insurance industries. We help our clients comply with regulatory requirements and industry standards. Our clients include: registered investment advisers, private equity funds, hedge funds, mutual funds, broker-dealers, insurance companies and state pension plans. Our team of highly experienced compliance professionals know from first-hand experience what regulators are looking for, the industry standards that apply, and how to develop and implement cost-effective business-oriented solutions.

Financial services firms are increasingly contracting with third-party service providers to perform activities related to their business functions and regulatory responsibilities. Acknowledging this trend, regulators have made it clear that outsourcing an activity or function does not relieve firms of their ultimate responsibility for compliance with all applicable securities laws and regulations. Firms are at risk from the intentional or inadvertent wrongful acts of their third-party business partners, whether it be regulatory risk or reputational damage incurred by association with a third-party. As such, firms should have an effective third-party risk management program which includes an effective due diligence process to detect and evaluate risks.

Third-party due diligence has become the expectation of key stakeholders in most organizations. Organizations may be held accountable by regulators for errors, negligence or acts of corruption by their third-party vendors such as agents, custodians, auditors, suppliers, distributors, joint-venture partners, or any individual or entity that has some form of business relationship with the firm. Therefore, before entering into relationships with third-party service providers, firms should ensure that potential risks from these relationships are responsibly evaluated and managed. This entails conducting a thorough risk-based due diligence analysis.

A formalized third-party due diligence program can protect against reputational harm or headline risk, and better defend against investor litigation or regulatory action in the event of errors or losses. Having a documented process and adhering to that process can provide a clear factual defense in legal disputes or regulatory proceedings. In fact, conducting adequate due diligence may help organizations decrease, and under some international laws, even avoid the risk of criminal culpability for corrupt third-party conduct.

1. Define the scope of vendor risk.
Define the risk to your organization and find the appropriate level of due diligence for each entity. Involve appropriate representatives from the business, legal, compliance, risk management, and technology teams. The appropriate amount of due diligence should be guided by the results of a risk assessment process that rates third-parties as either high-, medium- or low-risk. The level of risk will ultimately determine the amount of due diligence that needs to be performed with high-risk third-parties subject to a more extensive due diligence process.

2. Know Your Vendors (KYV): Initial Due Diligence Assessment.
An essential requirement of third-party due diligence is to know your business partners and counter-parties.

• Ask the right questions. In operational terms, this means making appropriate inquiries of current or potential vendors to assure that they are financially stable, ethically sound, possess a strong corporate structure, and that they are capable of protecting your firm’s confidential information.
• Size the risk. Does your firm have fiduciary obligations or are you managing business risk?
• Understand who the vendor’s regulators are and the specific regulatory requirements to which they must adhere.
• If you must disclose information about your firm in order to evaluate the effectiveness of the services under consideration, then obtain a Non-Disclosure Agreement in advance of any information exchange.
• Conduct an on-site visit. There is NO substitute for real-time observations of business operations and employee dynamics.
• Build supervision and oversight expectations into the contract.
• Establish Service Level Agreements that clearly define the vendor’s accountabilities.
• Establish controls and procedures to ensure vendors are performing their duties.

3. Monitor the Process: Ongoing Due Diligence.
Ongoing due diligence should be performed consistently and at a level that matches the risk of the relationship.

• Define the scope. What information needs to be verified once the relationship is established?
• Identify the key risk areas and develop queries to fully assess how the risks are being managed.
• Determine a timeline. How often should the vendor be monitored? Quarterly, annually or both?
• Consider obtaining certifications from the vendor.
• If the vendor is a regulated entity, review the vendor’s regulatory compliance history.
• Balance conference calls with on-site visits depending on the vendor’s degree of risk.
• Maintain written documentation of the due diligence process and results.

A sound due diligence program should be designed to balance the benefits of outsourcing with the risk of liability through third-party service providers.

ICSGroup’s due diligence practice group includes third-party service provider due diligence. Whether your firm is onboarding a new vendor or monitoring risks with an existing vendor, ICSGroup can help your firm manage business risks through the implementation of effective due diligence processes that will satisfy the regulatory requirement to know your vendors.