How to Avoid Exposing Your Firm to Lawsuits When Working with Vendors

The number of RIAs and wealth management firms that outsource technology, operations, administration, billing, and compliance is growing. And here's why: According to the 2021 Fidelity RIA Benchmarking Study, "firms that outsource are growing faster" than their peers that keep everything in-house.

While outsourcing technology and administrative tasks has become a compulsory growth strategy for RIAs and wealth managers, it also requires firms to perform due diligence on their third-party vendors. Failure to properly vet and monitor vendors can lead to a host of problems, including financial losses, reputational damage, and regulatory scrutiny and fines.

Source: 2021 Fidelity RIA Benchmarking Study

But what about the third-party's vendors? We call these important players fourth-party vendors.

How Fourth-Party Vendors Can Expose You to Lawsuits

A fourth-party vendor is any company or individual that provides goods or services to a third-party vendor you work with (but that you do not have a direct contract). Companies often use fourth-party vendors to outsource certain business functions, such as IT support or data entry. While fourth-party vendors can provide valuable services, they also pose a potential risk.

According to a recent study, four out of five companies find it challenging to identify all the fourth-party vendors that their third-party vendors have contracts with. And yet, despite the lack of transparency, three-quarters of companies say they are confident that their third-party vendor has performed due diligence on all the fourth-party vendors with which they work.

Data breaches at fourth-party vendors can result in lawsuits. That is why RIAs and wealth managers must scrutinize the access that fourth-party vendors might have to their customer data. In addition, firms must evaluate the level of due diligence their third-party vendors have performed on these fourth-party vendors.

Recent Lawsuits Because of Poor Due Diligence

The list of large corporations sued for not properly vetting third and fourth-party vendors or failing to perform adequate due diligence on their vendors keeps growing. Target, Experian, JPMorgan Chase, Oracle, and Yahoo have all been on the receiving end of lawsuits in the last decade alone.

• Wi-Fi provider GoGo found itself on the receiving end of a class action lawsuit after a data breach at a fourth-party vendor exposed the personal information of over two million customers.
  

• Credit reporting agency Equifax was sued by the City of San Francisco after a data breach at a fourth-party vendor exposed the personal information of over 143 million people.
  

• A class action lawsuit was filed against cyber security firm Symantec after a data breach at a fourth-party vendor exposed the personal information of over five hundred million people.

These lawsuits illustrate the importance of performing due diligence on fourth-party vendors and having robust security measures in place to protect the data of customers and employees. In addition, when working with fourth-party vendors, companies should take steps to protect themselves from potential liability.

5 Tips to Protect Your Firm & Your Clients' Data

So, what gives? Why is it so hard to identify fourth-party vendors? And how can RIAs, wealth managers, and the entire financial industry ensure the integrity and security protocols of fourth-party vendors?

Because the fourth-party vendors are often sub-contractors that financial firms do not directly have a contract, it can be challenging to track down all the fourth-party vendors that might leave a firm vulnerable.

The good news is that there are steps financial advisors and wealth management firms can take to make it easier to identify fourth-party vendors and to ensure that their third-party vendor is doing its due diligence.

1. Ask your third-party vendor for a list of all the fourth-party vendors that have access to client data. This request may seem like a basic step, but it is one that many companies forget to do. If possible, require that your third-party vendors notify you when a new relationship is established with a fourth-party vendor that will have access to client data.
   

2. Include a clause in contracts with third-party vendors requiring notification of any fourth-party data or security breach.
   

3. Request copies of any due diligence reports performed on the fourth-party vendors. These reports can help determine whether your third-party vendor has vetted the fourth-party vendor.
   

4. Keep track of all your firm's communications with your third-party and fourth-party vendors. This communication trail should include email, phone calls, and meetings. These records can help show that you took steps to identify potential risks.
   

5. Consider working with an operations consultant to track and manage third-party vendor relationships and conduct due diligence on fourth-party vendors.

While fourth-party vendor management is not easy, it is possible to manage these relationships effectively if you are willing to put in the effort.

Perform due diligence on your vendors. This includes researching the vendor's history, reviewing their policies and procedures, and speaking with their clients. Additionally, the vendors that you work with should provide you with an outline that establishes the role and responsibilities of any fourth-party vendors.

Our Commitment to Due Diligence & Our Clients’ Data

Here at AllBackoffice, our in-house & U.S. - based staff is knowledgeable about the common security pitfalls that firms may encounter when working with third and fourth-party vendors. That is why we spend time and money performing due diligence and ensuring the security of our client's data.

All the suggestions we laid out in this article are at the heart of our internal processes and structure. We encourage RIAs to take their time vetting us as an outsourcing partner so they can grow comfortable with our commitment to due diligence.

Contact us today to talk about how we can help your firm perform due diligence checks on your vendors. Outsourcing can help your firm grow. However, working with a provider that protects your clients’ data and provides you with peace of mind is critical. We hope to hear from you today about how our team of operations and administration professionals can help you do just that!

About AllBackoffice

Founded in 2009, AllBackoffice Consulting provides operations and administrative services to registered investment advisors, financial planners, and holistic wealth management firms. Through AllBackoffice, financial professionals transform daily functions and tasks into automated data management. Outsourced workflow support, turnkey management of technology platforms, designing and implementing workflow best practices, quarterly billing and reporting, client support and training, and more are all included in AllBackoffice's personalized support packages.