The SEC recently proposed a new rule offering further guidance on the due diligence process expected of RIAs when they are evaluating third party vendors used in their regular course of business. Below is a list of questions you may want to consider when assessing a potential new relationship with a third-party service provider*.
1. Data Protection/Data Security
Any vendor that will be in possession of your clients’ personally identifiable information should prove the steps they take to ensure the safety of such data. The easiest way to ask for this proof is to request a SOC 2 report, or their SSAE-18 audit report. You will want to show clients and regulators that you take the security of client data seriously and you have examined all vendors’ processes and procedures related to data security. An RIA can have the tightest cybersecurity measures in place, but you are only as strong as your weakest link – you must confirm that none of your outsourced vendors are that weak link.
2. Who Owns the Data?
Before signing a contract with a vendor, it is important to understand if/when that contract expires, who owns the client data that has been residing on the vendor’s platform? Be sure to ask, “If I terminate this service contract, can I take my data with me?” Get a full understanding of the process for porting your data to another vendor before signing the contract. If this particular vendor is going to make it difficult to take your data with you, it may be advisable to find another solution before creating headaches for yourself down the road.
3. Size and Breadth of the Organization
Most RIAs are small businesses employing 10 – 20 team members. Outsourcing key functions of the business makes sense for firms this size because it eliminates key man risk — should one employee leave, taking key information with them, it can be very disruptive to the business as they scramble to hire someone new and train them. In theory, by outsourcing that function to a company, if your relationship manager or service contact at the vendor leaves, another team member simply slides in and takes over, creating little interruption to your day-to-day business operations.
But this can only play out if the vendor has a deep bench of highly trained employees and ensure a team will be supporting your business, so that several employees are familiar with your firm and your services. If you have essentially shifted the responsibilities from one internal employee to one external contractor, you haven’t eliminated this key man risk at all. And if the vendor itself is in financial trouble, you have the risk that the entire vendor relationship could end suddenly, causing you to scramble. For these reasons, it is imperative you get comfortable with the size of the service team working with you, and you ensure the business itself will continue as a going concern for as long as you will need their services.
4. Assignability of Contract
With the RIA industry’s frenetic M&A activity over the past few years, the assignability of vendor contracts has become an increasingly important component to vendor due diligence. If your RIA is acquired by a larger organization, what is the process for assigning that contract to the new owner? It is important to vet this process early in the negotiations with the vendor, to ensure a smooth and orderly transfer of the vendor relationship to the new firm and to prevent any loss of service during the transition.
5. Termination
No one enjoys discussing a prenuptial agreement before they get married, but it’s important to understand, should the relationship end for any reason, what is the process for unwinding the contract? Does the vendor require 30 days’ notice? 45 days? 90 days’ notice? Can the termination notice be delivered electronically? To whom at the vendor’s organization must the notice be delivered? Do you need to prove negligence or failure on the part of the vendor, or can the contract be terminated for any reason? These are all important components of the vendor relationship to understand before signing the contract.
6. Pricing Mechanics
Not only does one vendor price their services in a different fashion than other vendors offering similar services, but many vendors are now offering different pricing options within each RIA relationship. Some vendors will price their services based on assets on their platform; some will price based on the assets managed by the RIA, regardless of how many assets are placed directly with that particular vendor; some will price their services based on number of accounts, rather than amount of assets; and others will price their relationship based on the number of users/licenses required – and keep in mind that some vendors will allow the RIA to choose the number of licenses they want to purchase, while other vendors will choose the number of licenses for you, based on statistics taken from your firm’s ADV filing.
It will also be important to understand when and how your firm can hit various price breakpoints: based on asset levels, number of accounts, number of users/licenses, or even based on the length of the contract. “If I sign a 3-year contract versus a 1-year contact, can you give me a price break?” is an important question to ask the vendor during negotiations.
7. Integrations with Other Components of Your Tech Stack
As we have warned many times, technology vendors will throw out the word “Integratable” many times during negotiations – “Yes, our system is ‘Integratable’ with that system!” It is imperative that you understand exactly what that vendor’s definition of ‘Integratable’ is, as ‘Integratable’ does not necessarily mean ‘Integrated.’ Does data flow smoothly between both systems, in both directions? Or does data only push from System A into System B, but not from System B back into System A? Does data not flow at all between systems? It could very well be that this particular vendor defines ‘Integratable’ as having the ability to download data into Excel from one system and then manually upload that data into the other system. Most RIAs would not consider a manual download/upload of data as an integration point, but plenty of vendors define ‘integratable’ in exactly that fashion.
Depending on the system and how you plan to use it, it may not be a deal breaker if it does not integrate with other components of your back office, but you want to have the proper expectations around those integration points before you sign the contract, not after.
*This is not an exhaustive list of due diligence questions for your firm’s vendor discussions and should not be construed as legal advice. For the latest requirements under this proposed rule, RIAs should consult their Compliance Consultant and/or attorney.