Six Do’s and Don’ts for Advisor Due Diligence

On the other hand, it's impossible to perform due diligence on everyone and everything. Are advisors really expected to turn over every stone at the United States Postal Service if it delivers clients' quarterly statements? No. The key, much like a compliance program in general, is to tailor a due diligence program to the specific advisory practice and the potential risk that each third-party service provider may pose to clients. There is no standard investigative recipe, but advisors should consider taking the following steps to begin constructing a suitable due diligence program:

1. Identify existing third-party service providers that are material to the client relationship, either due to the sheer number of clients that the service provider touches, the assets it can control, or the risks it may pose to clients should they screw up. Future potential third-party service providers should be vetted ahead of time using the same or similar process.

2. For each third-party service provider, consider what information would be helpful to know in order to give you comfort that your clients' bests interest are being protected. Common areas of inquiry include disciplinary history, policies and procedures, disaster recovery preparedness, code of ethics violations, security protocols, etc. Deeper dives should be taken on the specific service that is being provided. Again, the list is far from exhaustive; however, the quality, not quantity, of information is what matters. 
3. Consider how you would like to obtain the information of interest. Depending on the relationship, any combination of telephonic interviews, on-site visits, questionnaires, certifications/attestations or other document requests can help fulfil your need. If the third-party service provider is large enough, request an SSAE 16 / SOC-1 or other independent control report to take advantage of the heavy lifting done by an independent auditing firm. Don't be surprised if a third-party service provider requests that you sign a non-disclosure agreement before sending anything. 
4. Actually review the information received. Due diligence should not be performed for the sake of filling lonely file cabinets, but instead should be reviewed and followed-up on if there are gaps or red flags. 
5. Consider setting up a free Google Alert for certain third-party service providers so you know when negative news is released that may impact your decision to retain a relationship with them. 
6. Set a schedule that will dictate when the due diligence process should recur, either through sheer passage of time, when certain material events occur, or as your business needs change. 

All that being said, the due diligence process is not some sort of investigative utopia where everybody answers all requests in a timely fashion and freely shares all requested information. To even get a response at all can be like pulling teeth – especially for smaller advisors requesting information from industry behemoths.