I wanted to reach out to get your perspective on how others are addressing third-party service provider referral processes and whether you have a similar framework in place.
We are working through an issue involving a department within a financial organization that caters to ultra-high-net-worth clients, where the process for providing third-party service provider referrals to clients is not clearly defined or documented, and approvals are not always being obtained in accordance with policy.
These referrals can span a wide range of services, including aviation providers, medical assistance, and other service providers requested by clients.
Based on a recent review of control design and a sample of five client referrals, several gaps were identified:
- Third-party service provider referral processes, controls, and roles and responsibilities have not been clearly defined or documented.
- While a third-party service provider tracking list exists, it is not subject to periodic review and maintenance, and ownership for specific referral categories has not been assigned.
- In the sample reviewed, two referrals were provided without the required approval, evidence that the referral was provided in writing was not on file for two referrals, and three referrals were not recorded in the required system of record, despite policy requiring non-attorney referrals to be approved, delivered in writing, and documented appropriately.
The risk was assessed as low given the limited volume of referrals and the existence of informal vetting practices. That said, because the process has evolved over time, ownership, controls, and oversight mechanisms are no longer as clear as they should be. As a result, there is concern around scalability and sustainability, as well as the possibility that referrals could be provided without appropriate vetting, which could create client dissatisfaction and reputational risk.
We are now looking at how best to strengthen the framework in partnership with leadership, Legal, and Vendor Management. The areas we are focused on include:
- defining firm-wide referral categories
- establishing standards vendors must meet
- assigning control ownership
- defining review timing and process
- designing and documenting a standardized process for onboarding and maintaining vendors used for client referrals
I would be very interested to hear how others are approaching this. Do you have a defined referral framework in place, and if so, how are you handling governance, approvals, documentation, ongoing review, and ownership? More broadly, what have you found works well in making this process practical, scalable, and sustainable over time?
Any thoughts, examples, or lessons learned would be greatly appreciated.
Best,
Tiffany