You Can’t Outsource Responsibility
By Meghan Sundquist, Compliance Associate, with contributions from Pamela Lalli, Compliance Associate
Background
Ours is a world rapidly turning to outsourced over in-house labor. This is not a new trend as big corporations have been outsourcing work for years. However, it has affected other markets, and the finance industry is not an exception. SEC Compliance Solutions, along with many other companies, has arisen out of a desire to help businesses streamline and spread the workload in an affordable way. Outsourcing also allows firms to access various levels of expertise in a way they may not have been able to in the past. This includes legal advice, technological advancements, and portfolio management, to name a few.
As firms continue to outsource, the SEC continues to inquire into the due diligence process and recordkeeping of firms who hire third-party vendors. Some enforcement actions over the last few years (Virtus, Meridian) have highlighted the importance of firms conducting due diligence in a way that is thorough, consistent, and documented. Let’s jump into a few things to keep in mind as you work with vendors, whether you’re building a due diligence program from scratch or evaluating processes already in place.
Spread the Work, Not the Responsibility
This is arguably the most important thing to keep in mind as you approach due diligence. Risk evaluations, questionnaires, operational procedures, and sub-vendor lists should all be approached with the understanding that you can seek help and expertise, but you cannot outsource your way out of your responsibilities set out in the various Acts and Regulations to which your firm is subject.
Part of this does mean that you will need some basic level of fluency in your firm to evaluate third-party companies and vendors. A question shared at the 2025 NSCP Conference session on managing third-party relationships was “Do you have the right people to ask the questions in the right way and have the ability to accurately interpret the answers?” An example: it would be ineffective to have people with no prior understanding of cybersecurity to be asking questions and evaluating responses related to a vendor’s cybersecurity. The solution to this question will vary depending on your firm, but you will want to ensure that you have the knowledge base to own your responsibility as a firm when vetting potential and current third-party relationships.
Consistency with Adaptability is Key
As with most things in life, consistency is the key, but it should not be rigid. Once you have a sufficient process in place, applying it consistently helps you to notice patterns, missing items, and identify anything extra you may be requesting but don’t need. A repeatable approach also supports clear documentation and defensibility.
That said, consistency does not mean using the same approach in every situation. Changes in a vendor’s risk profile, new services, regulatory developments, or the appearance of red flags may require you to adjust the scope, depth, or focus of your review. There may also be practical reasons to pivot, such as the size, complexity, or criticality of the vendor relationship.
There are many ways you can structure your due diligence program. Regardless of what programs or software you use, be sure to document thoroughly each review and ensure you are covering anything expected by the regulators as well as anything documented in your policies and procedures. This includes review frequencies and documentation requirements. For example, if you have previously inquired whether a vendor conducts background checks on employees, ensure this is a consistent practice with all vendors.
A consistent framework, paired with the flexibility to adapt when facts change, creates a due diligence program that is both practical and defensible.
Don’t Ignore Red Flags
This may seem obvious, but life is busy. Work is busy. Maybe the concerning event didn’t affect your firm. This can include things like SLOA slips, layoffs at the company, an under-staffed vendor, errors and missed deadlines, security breaches, and lack of partnership. Pay attention to these instances, no matter how small, and document them as part of your due diligence review. If they happen throughout the year, jot them down in a place where you’ll see them when it comes time for your review.
Another thing to keep in mind is your risk profile for vendors. As things happen throughout the quarter/year, be sure to set time aside to analyze anything that has happened at various vendors and how it could affect your firm based on the vendor’s risk profile. A vendor that is considered low risk to operations or not very important could manage to still provide adequate service to the firm if understaffed. However, if a critical vendor is understaffed and not able to provide sufficient partnership or service to the firm, that would have a much more significant impact.
The moral of the story – don’t ignore the red flags and be sure to analyze the impact of these red flags on the firm based on the risk profile of the vendor.
