Performing robust due diligence when searching for an outsourcing partner may someday go from a best practice to a regulatory requirement. This past November, the SEC proposed an outsourcing due diligence rule that would expand 17 CFR Parts 275 and 279 to regulate outsourcing initiatives carried out by investment advisers.
The proposed rule states that it would be unlawful for a registered investment adviser to retain a service provider for outsourcing certain functions without conducting sufficient due diligence. Functions noted within the proposed rule include cybersecurity and many front office and middle office functions, and it goes on to require ongoing monitoring and oversight of the service provider.
Costs of Cutting Corners
The proposed rule has received industry pushback, with some stating that regulations around due diligence and monitoring are not needed because these activities are already being done. The reality we often observe, though, is that the degree to which due diligence activities are performed is highly variable, with some asset managers merely performing an RFP for critical and complex functions without executing other key components of due diligence. Worse yet, we sometimes see asset managers make provider selections from the C-suite, bypassing even RFP!
Asset managers who are only willing to invest in lightweight due diligence are those whose outsourcing initiatives often encounter delays or even failures. In other cases, if your chosen provider didn’t fully understand the expected scope of work or their capabilities weren’t validated, your firm may find itself with buyer’s remorse, retaining more work than anticipated. Or, even more concerning: Finding unexpected and unfavorable “surprises” that pop up during or after implementation, potentially putting investors at risk.
A common mistake is underestimating the importance of pairing an outsourcing engagement with a detailed review of internal data strategy. Due diligence frequently focuses on functional capabilities and the quality of data delivered from the service provider. But due diligence should also include a deep analysis of the organization’s data, including its lifecycle through consumption, to avoid leaving data at the doorstep.
Asset managers also often struggle post-implementation with monitoring due to having only a loose plan in place. Due diligence efforts should include identifying which areas of the work to monitor, how to leverage oversight tools, the operating model to use for oversight, and how to measure and evaluate provider performance. Getting this right will enable risk management and help avoid strains in the relationship with your provider.
Olmstead’s Due Diligence Framework
Olmstead customizes the due diligence process for each client, as needs are unique based on the client’s structure, goals, and culture. But the methodology we follow is consistently applied, not only to guide in selecting the provider that is the best fit but also to ensure that any risks, gaps, and other challenges which may be lurking are discovered and mitigated ahead of selection and implementation.
No provider is perfect. The secret to success is following a methodical approach to flesh out issues ahead of time and formulating a target state roadmap that includes how to manage and mitigate those issues. And while regulation of this space may be heavy-handed, the SEC’s proposed requirements do shine a light on many of the real risks that must be mitigated through robust due diligence.
At Olmstead, we firmly believe in following due diligence best practices to ensure a safe and efficient transition to the right outsourcing partner for your firm. Reach out today to learn more about Olmstead’s methodology.