What the SEC’s New Proposed Vendor Due Diligence Rule Means for Financial Advisers
In line with an ongoing trend to establish cybersecurity protocols for financial advisers, the SEC recently voted on a new proposal to address vendor due diligence and security.
As the financial services industry adapts to changing market conditions (demographics, increased assets under management, etc.) and an increasingly digital business landscape, the need to incorporate new tools and services to meet demand efficiently has also grown.
The proposed rule expands the definition of a vendor, which has historically focused on software and cloud solutions. This proposal indicates added emphasis from the regulator on service providers such as consultants, law firms, accounting firms, and others.
Under the Investment Advisers Act of 1940, the new proposal would prohibit registered investment advisers (RIAs) “from outsourcing certain services or functions without first meeting minimum [due diligence] requirements.”
"When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients. Thus, today’s proposal specifies requirements for investment advisers designed to ensure that advisers’ outsourcing is consistent with their obligations to clients."
Key elements of the proposal
SEC Chairman Gary Gensler said the organization had “observed an increase in advisers outsourcing and issues related to the outsourcing and advisers’ oversight.”
The proposed rule would include requirements for advisers to:
- Conduct due diligence before engaging a service provider
- Periodically monitor performance and reassess whether due diligence requirements are being met, to determine whether the relationship should continue
The proposal would also amend the investment adviser registration form to include more specific information about service providers and their functions. This would offer more transparency for clients and enable the SEC to assess risk and oversee service providers.
The proposed rules reinforce existing obligations covered by an investment adviser’s duty of care, but significantly expand the due diligence obligations under existing third-party due diligence policies.
Proposed vendor requirements
The proposed rule imposes further due diligence and monitoring provisions on third-party vendors that provide recordkeeping functions.
Investment advisers would be required to conduct due diligence to ensure that the vendor can:
- Maintain internal procedures for producing and retaining records on the RIA’s behalf, to comply with the recordkeeping rule
- Produce and retain records to comply with the RIA’s recordkeeping rule requirements
- Allow RIA to access digital records
- Allow RIA to access digital records even after the vendor’s contract with the adviser terminates or if the vendor goes out of business
Advisers should plan to address these requirements with potential vendors and reassess current relationships to allow for the necessary policy adjustments and agreements.
How financial firms can prepare
So, what does this mean for RIAs and firms? Working with vendors is a critical part of doing business — but they must be trusted to access, handle and transmit highly sensitive information.
A vendor risk management solution simplifies the vendor risk assessment process by automating the most resource-intensive parts of third-party risk evaluation and management, including:
- Flexibility to create any relevant assessment questionnaire
- Automating the time-consuming process of grading vendor assessments and adjusting contract clauses to match
- Maintain auditable tracking of remediation plans and validation documentation
- Real-time reporting for cross-functional visibility
- Customization of assessments and rules to meet each firm’s unique needs
- Ongoing monitoring and remediation
As the vendor ecosystem expands and security threats evolve, firms should be proactive in their due diligence process. Performing annual reassessments, armed with a modern vendor risk management solution will help investment advisers stay secure and compliant.
Share this post!
Smarsh
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Latest posts by Smarsh (see all)
- 5 Records Management Best Practices for Government Agencies - October 19, 2023
- Harnessing the Power of Generative AI in Financial Services - October 13, 2023
- Structuring a Best-in-Class Mobile Compliance Strategy - October 11, 2023
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Off-Channel Communications Compliance and the Search for Best Practices
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US