In today’s regulatory and operational environment, third-party risk management has evolved from a best practice into a regulatory expectation for SEC-registered investment advisers. Increasing reliance on service providers has expanded inherent risks for investment advisers as a whole. Simultaneously, recent regulatory developments, particularly amendments to Regulation S-P, have heightened the SEC’s expectations around vendor oversight.
In Salus GRC’s recent Navigator Webinar on April 7, “Diligence 360: A Comprehensive Approach to Third-Party Risk Management,” Jacob Cane and Mike Scally from Salus GRC and Alex Zotov from TA Associates explored how investment advisers can design, implement, and sustain effective vendor due diligence programs. The panelists highlighted the following aspects for consideration for advisers in building and maintaining an effective vendor due diligence program.
Why Vendor Oversight Matters More Than Ever
Vendor relationships introduce a range of interconnected risks that can directly impact an adviser’s fiduciary obligations. These risks generally fall into three categories:
- Business and operational risk – A vendor’s inability to deliver services due to financial instability, staffing issues, or operational immaturity can disrupt an adviser’s ability to operate effectively.
- Cybersecurity risk – Service providers with access to the adviser’s systems or sensitive data create exposure to breaches, data leakage, and cyber incidents.
- Regulatory and investor risk – Failures in vendor oversight can lead to violations of the Advisers Act, reputational damage, and investor scrutiny.
Historically, vendor due diligence has existed in a “gray area” of regulatory expectations. However, recent amendments to Regulation S-P remove some of that ambiguity by explicitly requiring ongoing oversight of service providers, particularly those with access to customer information.
For many firms, this development requires advisers to shift from maintaining informal or ad hoc diligence of their service providers to creating a comprehensive due diligence program.
Moving Beyond Cyber: A Multi-Dimensional Approach to Due Diligence
While cybersecurity due diligence remains foundational, the webinar emphasized that a “360-degree” approach requires evaluating vendors through multiple lenses:
1. Cybersecurity Due Diligence
Applies to any vendor with access to an adviser’s IT systems or sensitive data. This process includes evaluating controls, data protection practices, and incident response capabilities.
2. Operational Due Diligence
Focuses on a vendor’s ability to perform its function reliably and compliantly. This evaluation includes the vendor’s governance, training, and regulatory controls and business continuity. If the vendor were not able to perform its function successfully, this pause in service would negatively impact the adviser’s ability to advise its investment clients.
Notably, some vendors, such as expert networks, may pose significant operational or compliance risk (e.g., MNPI exposure) despite having limited or no access to an adviser’s IT systems.
3. AI Tool Due Diligence
A rapidly emerging category, AI Tool Due Diligence examines how these AI tools use, store and process data. Even secure platforms may introduce risk depending on configuration or even the tool’s fundamental business case, such as whether the tool trains on adviser data or exposes outputs externally.
4. Execution Risk and Human Capital Due Diligence
An increasingly valuable dimension, this process involves the analysis of employee sentiment, turnover, and organizational stability using external data sources. These factors can serve as leading indicators of a service provider or portfolio company’s service quality and execution risk.
Taken together, these perspectives provide a more complete picture of vendor risk than any single approach alone.
Risk-Based Tiering: The Foundation of an Effective Program
A central challenge for advisers is determining which vendors require deeper scrutiny. The webinar highlighted the importance of risk-based tiering, driven by two primary factors:
- Criticality to business operations – Could an interruption in a vendor’s services disrupt the adviser’s ability to provide advisory services to its clients?
- IT Risk Exposure – Does the vendor have access to the adviser’s sensitive data, IT systems or regulated activities?
For example:
- Banks and custodians may be critical due to transaction dependency.
- IT providers pose cybersecurity risk due to system access.
- Expert networks present compliance risk related to potential MNPI transmission.
Once vendors are categorized, advisers can tailor due diligence frequency and depth. High-risk vendors may require annual or more frequent reviews, while low-risk vendors may be reviewed less often.
Building (and maintaining) a Vendor Oversight Program
Step 1: Inventory and Classification
Firms should begin by identifying all vendors, often by collaborating with department heads of non-compliance functions who maintain vendor relationships. This cross-functional approach is essential, as compliance teams rarely have full visibility on their own.
Step 2: Establish Clear Criteria
Defining what constitutes a “key vendor” is one of the most challenging but important steps in this process. Leveraging regulatory guidance (including proposed regulatory rules and exam priorities) can help create defensible categories that can be mapped to oversight requirements.
Step 3: Implement a Formal Process
Effective programs rely on standardized questionnaires, consistent evaluation criteria, and documented workflows. Informal or inconsistent approaches are difficult to defend during regulatory exams.
Step 4: Integrate Into Onboarding
Firms that successfully administer their vendor due diligence program typically conduct due diligence before vendor onboarding. Firms that delay this diligence often struggle to obtain cooperation from a vendor later.
Step 5: Create Ongoing Monitoring Mechanisms
Vendor oversight is not a one-time exercise. Firms should establish recurring review cycles, with frequency tied to vendor risk levels.
The Case for Outsourcing
While many firms initially attempt to build vendor oversight programs in-house, capacity constraints often become a limiting factor.
Key drivers for outsourcing include:
- Resource constraints – Vendor diligence is time-intensive, involving outreach, follow-ups, and analysis.
- Interdisciplinary complexity – Oversight spans compliance, IT, operations, and legal functions.
- Program defensibility – Third-party providers bring standardized methodologies and experience with regulatory exams.
Importantly, outsourcing does not eliminate internal responsibility. Instead, it enhances execution and consistency.
Practical Implementation Challenges
Even well-designed programs encounter obstacles. Common challenges include:
1. Internal Alignment
Non-compliance teams may not initially understand the importance of vendor diligence. Clear communication of regulatory risks and business impacts is critical to securing cooperation.
2. Vendor Participation
Obtaining responses from vendors can be difficult. Effective strategies include:
- Targeted, relevant questionnaires
- Automated and manual follow-ups
- Flexibility (e.g., video calls instead of written responses)
3. Avoiding Gaps in Coverage
To ensure no vendor is overlooked, advisers can embed compliance checkpoints into operational systems. One example shared in the webinar was integrating diligence questions into vendor payment workflows. This approach prevents the adviser from paying a vendor’s invoice until compliance review is complete. Non-payment in this area is a reliable way to ensure the vendor’s cooperation with the diligence process!
4. Role Clarity
Due diligence often reveals an ambiguous division of responsibilities between vendors (e.g., AML/KYC ownership between fund administrators and advisers). Identifying and resolving these gaps is a key benefit of the vendor due diligence process.
Emerging Risks: AI and Fourth Parties
AI adoption introduces new layers of complexity, particularly around:
- Data usage and model training
- Sub-processors and underlying LLMs
- Configuration risk (e.g., agentic AI with system-level access)
These risks extend beyond direct vendors to fourth-party relationships, requiring firms to understand not just their vendors, but their vendors’ vendors.
A structured diligence framework should include:
- Identification of sub-processors
- Data flow mapping
- Evaluation of hosting, encryption, and access controls
Meeting Regulatory and Investor Expectations
Vendor oversight is now a clear focus area in SEC examinations and investor due diligence questionnaires (DDQs). Advisers should expect:
- Document requests related to vendor oversight processes
- Scrutiny of due diligence documentation and follow-up actions
- Questions about how vendors are selected, monitored, and remediated
A robust vendor due diligence program offers several advantages to investment advisers:
- Regulatory defensibility: Demonstrates a structured, risk-based approach
- Operational resilience: Identifies and mitigates vendor weaknesses
- Investor confidence: Signals institutional-grade risk management
Key Takeaways for RIAs
- Vendor oversight is no longer optional. Regulation S-P formalizes expectations.
- A multi-dimensional approach is essential, extending beyond cybersecurity to operational, AI, and human capital risks.
- Risk-based tiering drives efficiency, ensuring resources are focused where they matter most.
- Integration into onboarding is critical to securing vendor cooperation and avoiding gaps.
- Outsourcing can enhance scalability and defensibility, particularly for resource-constrained firms.
- Ongoing monitoring of vendors, not one-time diligence, is the regulatory expectation.
As vendor ecosystems grow more complex, investment advisers must adopt a proactive, structured approach to third-party risk. A “Diligence 360” framework provides a practical path forward in meeting both regulatory requirements and investor expectations.