6 Compliance Tips for Hedge Fund Third-Party Risk Management
Traditionally, hedge funds were small operations with a fund manager and relatively few employees. These days, the industry is in rapid transition. Funds increasingly rely on complex, illiquid assets with complex trading strategies–and that means more resources, more infrastructure, and more risk management.
The problem? Not all hedge funds are prepared for that transition.
Like other areas of the financial sector, third-party risk management is an increasingly critical issue for hedge funds, and the cost of non-compliance is high. It may even be the difference between a strong year and struggling to stay in business. For forward-thinking hedge funds, it’s time to think about third-party risk management. Here are our 6 hedge fund compliance tips to manage your third-party vendors successfully.
1. Understand How Third-Party Vendors Introduce Risk
At the end of the day, all asset managers use third-party vendors, even if you don’t realize it. Today, technology is integrated into all levels of asset management, a reflection of an increasingly diverse (and increasingly global) asset management system.
And unless you build all of that technology yourself, you have to rely on third-party vendors.
How that technology is used depends on the fund in question. A recent report by ECI reports 9 out of 10 hedge fund startups rely on cloud-based solutions over traditional on-premise solutions. However, hedge funds purchase risk and analysis technology is a direct byproduct of their size, strategy, focus, and asset manager’s background. In other words, your risk landscape depends on…well, you.
So, your first step in compliance is understanding what risks you need to watch for. That way, you can start tailoring your focus to your unique risk case.
For example, one major concern with third-party vendors is weakened cybersecurity practices. Every interface with your vendor can introduce a new layer of cybersecurity vulnerability. You should also be concerned with making sure your vendor’s practices are in keeping with the latest regulations–wherever you work in the world. Each vendor will introduce risk in a slightly different way, so your third-party risk management program must account for that.
2. Know Your Relationships
From there, you can take a look at your unique vendor relationships–and how they introduce risk to your hedge fund.
When we talk about relationships, we’re talking about the service your vendor provides. This means more than just the raw tech. It also refers to the depth and breadth of your vendor relationships. Think of your fund as a structure and the vendor as ivy. If you could yank off the ivy and just take a bit of paint, that’s a surface-level relationship. On the other hand, if removing it would require some structural assessments, that’s a deep relationship.
That’s important to understand. The deeper the vendor is, the more data they have, and the riskier they are.
Keep in mind that the depth and breadth of your relationships are often a product of how large you are. Larger funds have more resources for institutional solutions distributed across a variety of vendors. That way, they can provide top-tier service to their investors. Smaller funds, however, don’t have such deep pockets, and they likely only deal with a handful of third-party vendors.
Also, keep in mind that any outsourced vendor qualifies as a third-party vendor. This includes:
Application management providers
Basically, if you pay for the service through someone else, they’re a third-party vendor.
When assessing these relationships, you’re concerned with two things: 1) the service they provide, and 2) their level of data access.
3. Define Your Objectives
Next, think about your organizational objectives. This isn’t as obvious as you think.
“Staying compliant with the law” is not an objective. An objective should be incredibly precise, with a clear path of implementation. You should understand exactly how it factors into your risk management process.
For example, a good place to start is by looking at applicable compliance regulations. Then, craft your objectives based on the language of those regulations. That way, you can chart a path to achieve compliance based on where you are now.
At this stage, it’s also a good idea to spell out who at your fund is responsible for managing third-party compliance. Ideally, this should be someone’s sole job, especially if you have a lot of vendors. However, if you have limited resources and have to spread out the job among multiple people, you should clearly define what their roles are, their timeline for completing them, and their performance metrics. Introducing a third-party risk management platform like Privva reduces the time required by the team.
4. Gather and Validate Information
Once you know who you’re dealing with and how you plan to achieve compliance, you’re ready to start gathering information.
Ideally, you should have already done this as part of your due diligence when taking on a new third-party vendor. If you haven’t, there’s no time like the present. And if you’ve already gathered information, now is the time to craft a checklist and make sure you have all the relevant information to make a risk assessment.
Don’t forget, you’re collecting information from the vendor, which means they’re the ones best equipped to provide it. Get them involved in the process with a third-party risk management questionnaire. This will prompt them to provide all the information you need.
5. Conduct a Risk Assessment
Once you have all of the relevant information, you’re ready to conduct a risk assessment.
A risk assessment is a process of evaluating whether a vendor is worth working with based on the risks and benefits they bring to the table. This includes a detailed assessment of their compliance practices and how those practices align with yours. These assessments should be weighted based on the level of involvement–a surface-level vendor who doesn’t handle much data isn’t as much of a concern as a core service provider.
You should perform your assessment based on a universal scoring system so that every vendor is assessed on equal terms. This keeps the process objective. Hint: if you don’t already have a scoring system, now is the time to make one.
6. Audit, Monitor, and Reevaluate
Your work isn’t done once you hire a vendor. Quite the opposite. Once you hire them, they have access to your data, which means you need to handle risk actively.
In practical terms, you should regularly monitor the vendor’s practices to ensure compliance, along with routine audits. If regulations update, you need to audit vendors for compliance. In addition, you should also conduct routine deep dives into their best practices comparable to what you did during due diligence.
For low-risk vendors, these in-depth reviews should be conducted annually. For high-risk vendors with significant data access, these should be conducted every few months.
Your Partner in Hedge Fund Third-Party Risk Management
Like the whole hedge fund sector, hedge fund compliance is not for the faint of heart. But for both large and small hedge funds, it can be hard to keep pace with hedge fund third-party risk management.
At Privva, we offer industry-leading security assessment tools tailored to hedge funds so that you can always ask the right question to the right vendor at the right time. So if you’re ready to take a smarter approach to compliance, get in touch to learn how we can help.