As a registered investment adviser (RIA), you likely know the Security and Exchange Commission (SEC) expects oversight of any third party with access to sensitive client data. But what does that really mean in day-to-day operations?
Compliance can get murky without clear guidelines, making it critical for RIAs to build robust oversight practices that identify, monitor, and mitigate third-party risks.
Here’s what effective third-party oversight looks like and the steps your firm can take to stay compliant and protect your clients.
What is Third-Party Oversight for RIAs?
Third-party oversight is the ongoing process of managing and monitoring the third parties your RIA relies on, especially those that handle sensitive data or perform critical functions.
The SEC’s Regulation S-P specifically requires RIAs to “establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, including to ensure that affected individuals receive any required notices.”
This means your RIA holds the responsibility to ensure your third parties meet the same standards you do for cybersecurity, privacy, and compliance. You can’t outsource your RIA’s fiduciary responsibility — your firm is accountable for safeguarding client data and ensuring regulatory compliance.
Third-party oversight for your RIA means:
- Having policies and procedures that address third-party risks
- Knowing your third parties and the types and amounts of data they access
- Assessing third-party cybersecurity and privacy risks through due diligence
- Identifying controls to mitigate third-party risks
- Ongoing monitoring to ensure third parties continue to meet expectations
Related: Mini Vendor Risk Management Handbook
Performing Third-Party Oversight at Your RIA
Although the SEC doesn’t offer step-by-step guidance for its third-party oversight requirements, there are clear activities your RIA can perform for effective oversight.
- Perform a third-party risk assessment. This means looking at each vendor to understand how risky the relationship might be. Ask questions like:
- What service are they providing?
- Do they access sensitive client data?
- Could a mistake on their end impact your business or clients?
- This is called an inherent risk assessment, and it should be done by your firm, not the vendor.
Pro Tip: Vendor risk isn’t set in stone. A relationship that starts off as low or medium risk might become high risk over time, especially if the vendor’s role expands. That’s why it’s important to reassess risk regularly.
- Conduct initial due diligence: Before you hire any third-party vendor, whether it’s an IT provider, compliance tool, or outsourced service, you need to understand how they operate. This review helps you identify any red flags before signing a contract. Request and evaluate documentation that shows how they protect your clients’ data, such as:
- Their information security policies
- A recent SOC 2 report (an independent review of their security controls)
- Their privacy policy and how they handle sensitive information
- Set contractual expectations: Once you’ve reviewed the vendor’s practices and feel confident moving forward, it’s time to set expectations in writing. Your contract should clearly outline:
- What the vendor is responsible for (service level agreements or SLAs)
- How they’ll protect your data
- What happens if there’s a cyber incident or data breach
- How quickly they must notify you if something goes wrong
Pro Tip: Under SEC guidance (Regulation S-P), vendors should notify your firm of a breach within 72 hours of becoming aware of it. Put that timeline in the contract.
- Monitor third-party performance: Oversight doesn’t end once the contract is signed. The SEC expects RIAs to regularly monitor third-party performance and SLAs. That means:
- Making sure the vendor is meeting its responsibilities
- Tracking whether they’re living up to the service levels promised
- Watching for signs of trouble — like data breaches, service disruptions, customer complaints, lawsuits or policy changes. Many firms use tools or risk alerts to stay on top of any incidents or data breaches that could impact client data or operations.
- Reassess third parties periodically: Just because a vendor was low-risk last year doesn’t mean they still are today. Regularly review and update their documentation, especially for vendors that handle sensitive information. Look for updated SOC 2 or security audit reports, business continuity and disaster recovery plans, and any changes to how they manage cybersecurity.
Pro Tip: Focus first on your critical and high-risk vendors. These should be reassessed at least once a year or sooner if something changes, like a data breach or service disruption.
- Have a plan for handling problems: Even with strong vendors, issues can come up, like missed deadlines, security concerns, or policy changes. That’s why your firm needs a formal issue management process for managing problems when they happen. Make sure you:
- Know who’s responsible for handling vendor issues
- Set clear steps for tracking, escalating, and resolving problems
- Keep a record of how each issue was addressed
- Keep good records: The SEC wants to see proof of effective vendor oversight. That means keeping documentation of everything you’ve done throughout the vendor risk management lifecycle, including due diligence reviews, risk assessments, and ongoing monitoring, as well as any issues and how you resolved them.
Pro Tip: Don’t wait until you’re prepping for an exam to gather documentation. Third-party risk management software is a great tool to maintain your documentation in a centralized place and demonstrate compliance.
Related Content: Third-Party Risk Management Checklist
Third-party oversight is a necessity for your RIA. Regulators are looking to see how your RIA protects client data, even when it’s in the hands of a third-party vendor. By establishing processes and activities for third-party oversight, your RIA can demonstrate SEC compliance.
Remember, outsourcing a service doesn’t mean outsourcing responsibility. Your third parties should be held to the same standards you hold internally — and effective oversight is how you ensure that happens.
Written policies and procedures are a key SEC requirement for third-party oversight. Use our free third-party risk management policy template to get started.