Alternative Investment Firms Are Only As Secure as Their Third-Party Services

All alternative investment firms strive to do the right thing: strong governance policies, strict compliance procedures, and highly secure technology systems. It works, until it doesn’t. An unforeseen business disruption occurs, a secure system is hacked, or regulators come knocking. Despite all the planning, firms discover that a third-party vendor has exposed them to a crisis.

Large or small, all alternative investment firms use third-party service providers. From major data providers like Black Rock or Bloomberg to independent programmers offering risk control operations modules, outside resources are an integral part of the daily execution of asset management. When any one of these systems fail, firms are finding that regulators can—and will—hold them equally responsible with the vendor.

Finance firms need to understand that third-party vendors are not ancillary to their business. They are its business. With so much at stake for both the firm and its clients, firms need to pay attention to more than what the service provides, but also the underlying compliance and security issues demanded by today’s business and regulatory environments.

Third-Party Service Fit Every Business Model

Third-part resources are an integral part of firm infrastructure. When building out any business operation, cost considerations have an impact on whether to keep something in-house or to outsource. Technology infrastructure can be expensive, especially for small- to mid-size firms. Hiring outside help can reduce hardware costs as well as lower staff overhead. The trade-off, however, is reduced control in development and security. Every step outside the firm is a step up in risk. Firm management needs to weigh the level of risk control for every component produced elsewhere against the cost-savings of performing the same work in-house.

Some third-party vendors are inevitable and necessary. Live data-streams on stock pricing and indices, for example, can only come from outside the firm. These data providers have their own strict regulatory requirements and solid security around them. With so many eyes on their processes and policies, firms can rest assured as to their security and compliance. On the other hand, it always pays to keep apprised of any regulatory or operational issues involving these data providers. At the same time, firms need to assure themselves that no weak link exists in the introduction of this data into their own internal systems.

Investment Firms Have a Due Diligence Obligation—and Requirement

When considering hiring, leasing or buying third-party service support, firms should have a structured due diligence review as part of their vetting process. Indeed, regulations in all major jurisdictions in the global market now demand compliance with specific control and oversight requirements when outsourcing. These requirements should be part of initial acquisition reviews, as well as incorporated into ongoing process audit reviews once hired.

A key component of any review should be business continuity plans and disaster recovery. Since financial management is a real-time/all-the-time business, any disruption of services can have significant ramifications for managers and investors. The greatest strategy in the world is useless if you can’t execute it.

Large third-party firms have an advantage in the realm of business continuity by virtue of size. With multiple offices and deep pockets, a disruption in one location can be remedied by transferring key controls to another. For smaller vendors, disaster recovery can be more challenging. It is imperative that such a plan exists, of course, but it is incumbent upon asset managers to ensure that these plans are adequate, if not superior. Any transfer of business operations during a disruption should be seamless for the firm, with the same processes and interactions with the service occurring without any noticeable difference.

Technological security should also be paramount. Hackers are out there with a wide range of motivations, none of them good for business. A good example of the best system in the world being compromised by poor local security is the infamous Bangladesh Bank heist in 2016, in which an attempt to steal a billion dollars almost succeeded. The SWIFT network is one of the most reliable, secure financial networks in the world, yet poor security of a member bank resulted in tens of millions of dollars stolen and more tens of millions in fines for non-compliance determinations. With poor compliance checks and balances in place, outside resources can cause serious damage in time, money, and reputation.

Setting Up a Review of Outside Service Providers

Regulations change, staff turns over, and system updates all are ongoing issues. Transparency, of course, should be high on the list of any interaction to track these changes and review for concerns. Having a process in place for reviewing outside vendors on hire is only one component. Regular auditing of services should continue for the life of the relationship.

Third-party services cut across the firm including the investment team, operations, information technology, client service, and marketing. The simple place to start a review is by assessing all business units within the firm. The accounting department is likely the best place to find a comprehensive list of all third-party vendors.

Maintaining a complete list of third-party services will facilitate review. Services should be categorized by business unit. Within each unit, a level of risk for each service should be assigned and appropriate due diligence processes set-up. As business grows, firms will continue to make buy versus build decisions for their operational needs. Having a review process in place that takes growth into account should also be a priority. Paying attention to scalability with third-party vendors will also have an impact on costs and flexibility—and business continuity, disaster recovery, compliance, and security should scale with the business.

Be broad in the definition of “third-party services” to include situations of shared infrastructure. Include central control points (CCPs), custodians, and, yes, the SWIFT network as areas of assessment. Like financial management firms themselves, transfer operation businesses are reputational in nature. Confirming what you are being told by involved businesses through additional outside information sources should be done as a matter of course.

The Firm Is Its Vendors, Too

Requiring that outside vendors meet the firm’s own governance policies will contribute to the integrity of the firm and provide assurance to its clients. As financial management becomes more dispersed in the global marketplace, every external point of interaction should be accounted for in terms of compliance, security, and business continuity.

**********

Frank Caccio is Founder of New Jersey-based OpsCheck

***

The views expressed in this article are those of the author and do not necessarily reflect the views of AlphaWeek or its publisher, The Sortino Group