1 Comment

Due Diligence Quick Guide for Financial Planners

Due diligence is important whether you are considering a third-party money manager, cloud data storage provider or an office cleaning service.

This quick reference guide can guide you through the development of your firm’s due diligence process. ​

Regulatory Opinion on “Outsourcing”

You cannot outsource your supervisory responsibilities. This means you must make your best efforts to ensure that your vendors are doing what they are supposed to be doing. When you outsource operations and functions, the regulators do not look further than your internal controls—even if the third-party service provider (or vendor) did not perform as promised.

Types of Vendors You Need to Perform Due Diligence

The following is a partial list of the types of vendors you need to perform due diligence:

  • Broker/dealer—custodians
  • Third-party asset managers or sub-advisers (money managers)
  • Mutual funds, limited partnerships and other investment vehicles
  • Portfolio and back office services
  • Compliance consultant
  • Technology—computer services
  • Accounting
  • Proxy voting services

Information Gathering on Vendor

Here is a list of the information you’ll need to gather on your vendors:

  • About the company and history
  • If vendor is a regulated firm (BD or RIA):
    • Obtain Public Disclosure records (from BrokerCheck or IAPD)
    • Obtain Form ADV 2 disclosure documents
  • If vendor is an investment company, obtain prospectus or offering memorandum
  • Financial and managerial strength
    • Obtain financial statements
    • Obtain biographies of managers
    • Evaluate recent changes in management or ownership
    • Litigation/arbitration or other legal history or complaints
  • Services and/or products offered by company
  • What is the workload capacity of vendor to take on a new client of your size?
  • Are you too small a client and likely to be treated as a low priority?
  • Vendor responsibilities—what are their contractual obligations?
  • Responsibilities retained by your firm (or responsibilities assigned to your firm by vendor)
  • Review all contract provisions
  • Recourse if vendor fails to perform as promised (waivers of liability in contract)
  • Conflicts of interest
    • Does your relationship with the vendor create a conflict of interest?
    • Does the vendor have any conflicts with its existing affiliates or centers of influence?
    • Do any conflicts create a disclosure requirement to your clients; or are conflicts too great to overcome and prevent doing business with the vendor?
  • Succession plan
  • What is reputation? Seek references from satisfied clients and inquire with colleagues
  • Schedule on-site visit to vendor to kick bricks and meet management and support staff
  • Document all your data gathering and due diligence efforts to your compliance files

Representations of Internal Controls by Specified Vendors

Vendors that are “critical business constituents” (e.g., banks, custodians and third-party asset managers) must provide you with documentation or a representation of their internal controls on their business continuity plan.

Vendors that have access to personal and confidential client information (e.g., custodians, IT consultants and auditors) must provide you with documentation or a representation of their internal controls on the following:

  • Privacy controls under Regulation S-P (safeguarding information)
  • Identity theft prevention program under Red Flags Rule (Reg S-ID)
  • Cybersecurity plan to protect information; detect and respond to security breaches

As a best practice, this type of information should be obtained from all vendors even if not meeting these criteria.

Conduct Ongoing (Periodic) Due Diligence

Assign the appropriate supervisor to supervise work of the vendor to examine the following things:

  • Is the vendor performing as promised?
  • Have contract provisions changed and need re-evaluation?
  • Have there been changes in management, financial strength or legal matters?
  • Is vendor keeping up with regulatory changes that you must abide by?
  • Has there been bad press?

Todd Skoda

Todd Sakoda brings 20-plus years of experience in the financial services industry ranging from compliance and operations to business development and relationship management. His last 12 years has focused on independent registered investment advisory firms. Over his career, he has also worked with independent broker-dealer advisers and bank investment programs. He is a coach, along with John T. Carr, in the FPA Coaches Corner for Compliance, where this resource guide was first published.  

John Carr

John T. Carr represents financial services professionals to limit, defend and/or deflect liability in regulatory investigations, enforcement actions, arbitrations and court cases pending before Oregon Circuit Courts, Washington Superior Courts and the United States District Courts for the District of Oregon and the Western District of Washington. Carr is known as one of the preeminent legal advisers to financial advisers, having represented hundreds of industry clients over multiple decades. He is a coach, along with Todd Sakoda, in the FPA Coaches Corner for Compliance.


Leave a comment

Money Manager Analysis: Issues and Considerations

Engaged team members need to know how they influence the success of the business. (5).pngThere are many ways in which advisers can serve the best interests of their clients. Some advisory firms with the background and expertise within the firm choose to directly manage their clients’ portfolios. Others may choose to focus their time on financial planning needs and “outsource” the investment management.

Regardless of how an adviser decides to operate, it’s important that a firm’s disclosure documents are in line with what they are doing and that the firm is properly registered. Regulators will scrutinize firm’s disclosure documents for accuracy. The focus of this piece is to help advisers who outsource (or plan to outsource) the investment management to third-party money managers understand their situation so they can properly answer the disclosure questions in the SEC’s forms ADV 1, ADV 2A and ADV 2B, and determine whether the structure of the third-party money manager relationship makes sense for their situation.

Issues and Considerations

Consider the following potential issues and considerations when working with third-party money managers.

  1. What is the true nature of your firm’s relationship with the third-party money manager(s)?
  2. Are you acting as a solicitor?
  3. Is the third-party money manager acting as a sub-adviser?
  4. Under this relationship, what services are you providing clients versus the services that the third-party money manager is providing?
  5. How are you compensated? How is the third-party money manager compensated?
  6. How do you disclose the true nature of the relationship on your ADV disclosures?
  7. When the third-party money manager is engaged, is the client still considered a client of yours?
  8. If they are deducting fees, but it is “your client”:
    • Are they doing it properly under the custody rule?
    • Are they billing in advance for a period of more than six months (triggering audited financials for you if it is “your client”)?
  9. Is it your policy not to have discretion?
    • If so, does the third-party money manager trade with discretionary authority?
    • Are you responsible for approving their trades? (If you approve recommended changes without prior client approval, you are likely violating your policy and taking discretion.)
  10. How does the outsourcing of the investment management impact your firm’s value proposition?
  11. What is the reputational risk of working with third-party money manager(s)?
  12. If things go wrong with a specific client account, can they disclaim liability because it is your advisory account?

Due Diligence

During your due diligence process, discussions with sales representatives (or relationship managers) of the third-party money manager will often provide you with the general information you need to answer the above questions. That said, it may serve you well to read through the third-party money manager’s actual documents (Form ADV, agreement between your firms and the advisory agreement your clients will sign), even though it will require additional time and analysis.

The devil is in the details. Additionally, when push comes to shove, these documents will likely be at the center of determining: (1) whether your firm’s disclosures are accurate; as well as (2) ultimate responsibility on any issues at arise.

Todd Skoda

Todd Sakoda brings 20-plus years of experience in the financial services industry ranging from compliance and operations to business development and relationship management. His last 12 years has focused on independent registered investment advisory firms. Over his career, he has also worked with independent broker-dealer advisers and bank investment programs. He, along with John Carr, is a coach in the Compliance FPA Coaches Corner.

 


Leave a comment

New York Planners: Time Is Running Out for Your Firm to Qualify for The NYDFS Cybersecurity Regulation Limited Exemption

Under the new NYDFS cybersecurity regulation (23 NYCRR Part 500), any individual operating with a license, registration, or similar authorization under New York banking, insurance or financial services is required to assess their security risk profile, design a cyber program that addresses their risks and file an annual certification that confirms they are in compliance with regulations.

September 27, 2017 is the deadline for filing your Notices of Exemption and failure to do so on time will cost your firm thousands if it would have qualified for the Limited Exemption.

You may qualify for a limited exemption if you meet any one of the following (the following information is from the New York Department of Financial services and is available here):

Section 500.19 (a)(1): Have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity

Section 500.19 (a)(2): Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates

Section 500.19 (a)(3): Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted principles, including assets of all Affiliates

Section 500.19 (b): An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need to develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity

Section 500.19 (c): A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this Part

Section 500.19 (d): A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part

To file for an exemption: log into the NYDFS Portal and file. Save the email you receive after filing for evidence.

Key Dates Under New York’s Cybersecurity Regulation (23 NYCRR Part 500)

 Here are other important dates to know when it comes to the new regulation (the following information is from the New York Department of Financial services and is available here):

  • March 1, 2017: 23 NYCRR Part 500 becomes effective.
  • August 28, 2017: 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017: Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018: One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

If you need assistance filing for an exemption, Financial Computer is providing complimentary assistance for FPA members. Click here to schedule some time with one of our cybersecurity experts.

Brian E
Brian Edelman is a cybersecurity expert and the CEO of Financial Computer, Inc., a company that provides cybersecurity, integrations and IT support to the financial services community.