Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


SEC Proposes New Outsourcing Rule: How TPRM Can Help Investment Advisers Prepare

4 min read
Featured Image

New amendments proposed by the Securities and Exchange Commission (SEC) will prohibit registered investment advisers from outsourcing covered functions to third-party providers without conducting diligence and monitoring. Though investment advisers have been outsourcing third-party services for decades, the SEC has proposed these new amendments to ensure that they fulfill their clients' obligations. 

What does this mean for investment advisers, and how can you prepare for the changes ahead? Let's look at some of the proposed requirements and how your organization can prepare to comply.

Why Is Third-Party Oversight Important?

Without proper oversight, outsourcing products or services necessary to provide investment advisory services can expose an organization and its clients to various threats. A few examples of these threats include cyber breaches, financial losses, reputational damage, compliance violations, operational disruptions, and legal action. For example, a service provider with lax cybersecurity practices could result in the loss or misuse of a client's information. And suppose a service provider has poor or missing compliance controls. In that case, there may be an inability to prevent fraudulent, deceptive, or manipulative activities committed by employees and others.

To combat these risks, the SEC's proposed amendments require investment advisers to perform due diligence and monitoring activities to verify that the vendor aligns with their obligations to their clients. For many investment advisers, these activities may seem unfamiliar or overwhelming, and your organization might not know where to start. So, let's look at these new requirements and how investment adviser organizations can prepare to comply with these amendments.

How Can Your Organization Prepare for Compliance?

Under the amendments, your organization should be performing due diligence and monitoring any service provider providing a covered function. The SEC defines a covered function as:

  • Those necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws
  • Those that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser's clients or on the adviser's ability to provide investment advisory services.

The SEC has identified multiple examples of covered functions, including: 

  • Adviser/sub adviser client services
  • Cybersecurity
  • Investment risk
  • Pricing
  • Portfolio accounting
  • Record keeping
  • Trade communication and allocation
  • Valuation
  • Technology or services related to an adviser’s investment decision-making processes

Identifying your outsourced covered functions and the service providers responsible for them is a good first step in preparing for the proposed rule. From there, it is important to understand the scope and scale of the due diligence and monitoring requirements.

SEC proposes new rules

Understanding the Requirements

The SEC has detailed expectations for due diligence and monitoring. Your processes must account for the following:

Due diligence:

  • Identifying and documenting the nature and scope of the services
  • Identifying and assessing the potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks
  • Evaluating the service provider's competence, capacity, and resources necessary to perform the covered function, which may include the review and assessment of:
    •  Due diligence questionnaires
    • A summary of a service provider's business continuity plan
    • An assurance report on controls by an independent party,
    • Certifications or other information regarding a provider's operational resiliency or implementation of compliance policies, procedures, and controls relating to its systems,
    • Results of any testing
    • Conducting periodic onsite visits
    • Additional information relevant to the scope and risks of the product or service

  • Business continuity and disaster recovery plans
  • Certifications that verify the provider's resiliency or system controls
  • Penetration testing results
  • On-site visits

Monitoring requirements:

Upon engaging a service provider, the proposed rule requires the adviser to periodically monitor the service provider's risk profile and performance. Monitoring should occur in a manner and at a frequency that allows the adviser to determine if it remains appropriate to continue outsourcing the covered function to the specific service provider

Once you've identified your covered functions and the associated service providers and understand the new requirements, it's necessary to identify how to execute the necessary processes.

For organizations that already have a third-party risk management program in place, it will be easier to comply with the proposed rule and its due diligence and monitoring requirements. After all, due diligence and monitoring are part of the third-party risk management lifecycle and will automatically be part of any healthy third-party risk management program.

Meanwhile, advisers without any third-party risk management processes may find a lot more work ahead of them to begin executing these practices. Still, working to implement a third-party risk management program before the proposed rule becomes effective can be a sound strategy. A robust TPRM program will help advisers comply with the proposed SEC rule and continue to support overall regulatory compliance now and in the future. TPRM programs also provide other benefits, helping your organization protect sensitive data, preserve your operational resiliency, and safeguard your hard-won reputation.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo