After the SEC Vendor Due Diligence Rule: A Guide for RIAs and Financial Firms

Vendor relationships are the backbone of modern financial services operations, handling such areas as cloud infrastructure, data analytics, compliance tech, and cybersecurity services. These third-party vendors are integral to how firms operate, compete, and scale. But increased reliance on vendors also means greater regulatory and reputational risk.

In June 2025, the Securities and Exchange Commission (SEC) quietly withdrew its proposed rule that would have imposed formal due diligence and monitoring requirements on registered investment advisors (RIAs) that engage service providers for critical functions. But the message behind that proposed change to the Investment Advisers Act of 1940 still stands. Regulators continue to expect firms to take responsibility for their vendors, especially when those third parties touch client data or core business systems.

The onus is on financial firms and compliance leaders to strengthen oversight now rather than waiting for future SEC vendor due diligence rules. Proactive due diligence and ongoing monitoring are essential risk management practices that protect clients and demonstrate governance maturity.

Learn how forward-looking RIAs and financial services firms can continue to build resilient vendor oversight programs—and why working with a dedicated risk partner can make all the difference.

Table of Contents

1. The Importance of Vendor Due Diligence
2. 3 Key Components of an Effective Vendor Due Diligence Process
3. How to Leverage Your Risk Management Partners
4. What’s Next for Effective Vendor Due Diligence

The Importance of Vendor Due Diligence

Vendor due diligence isn’t just a “check the box” exercise. It is a strategic process that allows firms to understand potential risks their service providers may pose across data security, regulatory compliance, business continuity, financial stability, and ethical conduct.

RIAs have a fiduciary responsibility to act in their clients’ best interests, and this includes understanding whether service providers meet appropriate industry standards. If a critical vendor experiences a security breach, violates the law, or suffers an operational failure, the downstream consequences for advisors and their clients can be immediate and severe. These risks include financial losses, regulatory penalties, and long-term damage to brand trust.

By conducting due diligence, firms also signal their governance maturity to regulators. Even without a binding SEC vendor due diligence rule, regulators expect firms to demonstrate a risk-based approach to third-party oversight. This includes showing why a vendor was selected, how risks were assessed, and what controls are in place to periodically monitor performance and prevent harm.

Firms that embed vendor oversight into their operational DNA reduce their exposure and position themselves to respond quickly and decisively when vendor-related risks emerge.

3 Key Components of an Effective Vendor Due Diligence Process

Initial Assessment

A robust vendor risk management program begins with a comprehensive onboarding process. Firms should create a standard intake workflow that includes:

• • Risk-based tiering of vendors based on the sensitivity of the data or function they manage
  • Review of the vendor’s financial statements and litigation history
  • Evaluation of cybersecurity and privacy controls, including encryption, access management, and breach notification protocols
  • Understanding the vendor’s compliance with relevant regulatory frameworks (e.g., GLBA, SOC 2, GDPR, etc.)
  • Requests for independent audits, certifications, or assurance reports
  • Assessment of ethical practices and ESG (environmental, social, and governance) policies, especially for vendors operating in regulated or sensitive industries

This stage should culminate in a documented decision that weighs the benefits and risks of engaging the vendor. This decision should be supported by evidence and approved by relevant stakeholders.

Ongoing Monitoring

Vendor due diligence isn’t static. A provider deemed “low risk” in year one can become a significant liability in year two or three. Changes in ownership, cyber incidents, regulatory enforcement actions, or financial distress can all shift a vendor’s risk profile. To stay ahead, firms should implement:

• • Scheduled reassessments (e.g., quarterly, biannually, or annually based on vendor tier)
  • Performance monitoring against service level agreements (SLAs)
  • Alerts for news, legal filings, or regulatory updates related to the vendor
  • Internal incident tracking that links vendor behavior to business outcomes

Firms that conduct continuous oversight won’t be caught off guard by negative developments, and they can respond more quickly and effectively when issues arise, including renegotiating terms, escalating concerns to leadership, or terminating the relationship.

Documentation and Recordkeeping

Regulatory expectations increasingly hinge on documentation. It’s not enough to say, “We performed due diligence.” You must be able to show it clearly, consistently, and quickly. Firms should:

• • Maintain vendor profiles, including intake forms, contracts, risk assessments, and escalation records.
  • Create audit trails for all decisions and changes in vendor status.
  • Implement document retention policies aligned to regulatory standards.

Audit readiness ensures compliance while also building internal confidence and preparing compliance teams to respond decisively to reviews, investigations, or crises.

How to Leverage Your Risk Management Partners

While some firms may have internal vendor management programs, many lack the time, resources, or technical expertise to conduct deep, consistent due diligence. This is especially true for firms with a growing portfolio of third-party providers. This is where risk management partners can make a significant impact.

Cisive, a leader in compliance-first background screening and workforce risk solutions, offers services tailored to high-stakes, highly regulated environments like financial services. Through its Executive Intelligence and continuous monitoring services, Cisive helps firms:

• • Perform deep background checks on potential vendors and their principals, including criminal, financial, reputational, and regulatory reviews.
  • Identify red flags through sanctions screening, litigation history, and public records analysis.
  • Monitor vendors for ongoing risk indicators such as enforcement actions, ownership changes, and adverse media.
  • Streamline onboarding and reassessment processes with technology that centralizes and standardizes documentation.

This strategic partnership enables firms to manage vendor risk with greater precision and confidence. Cisive’s tools not only reduce operational friction, but they also provide a defensible framework that stands up to regulatory scrutiny.

What’s Next for Effective Vendor Due Diligence

The SEC vendor due diligence rule has been withdrawn, but the underlying expectations have not changed. RIAs and financial services firms remain accountable for how they select vendors and the risks introduced by those third parties. As vendor ecosystems grow more complex, the need for structured, risk-based oversight has never been greater.

By investing in a due diligence process that is ongoing, evidence-based, and scalable, compliance leaders can meet the moment regardless of future rulemaking. By partnering with an experienced risk management provider like Cisive, firms can extend their capabilities, accelerate vendor compliance readiness, and better protect the clients they serve.

When the risks are shared, the responsibility is shared, too. The question is not whether due diligence is required, but whether your program is strong enough to stand firm when it matters most. Speak with a pro today to streamline your vendor due diligence process.