How Fund Service Provider Diligence Has Evolved
The risk surface around asset managers has expanded: more providers, more interconnections, more regulatory touchpoints. Here is how operational diligence has kept pace, where the gaps remain, and what the next wave of complexity looks like.
The early model was straightforward. A manager launched a fund, appointed a handful of providers (legal counsel, an administrator, an auditor) and focused on investing. The relationships were manageable in number, largely stable over time, and well understood by everyone involved. Service provider diligence reflected that: a standard set of questions, answered once at onboarding, reviewed periodically.
That model has not broken down. It has grown. As asset classes matured, strategies diversified, structures became more complex, and the degree of outsourcing expanded, the number and variety of provider relationships per fund and manager increased substantially. Technology brought in a new category of operational dependency. AI is now embedded across most providers. Regulation has followed. The interconnected nature of these relationships, and the risk that runs through them, has expanded faster than most oversight frameworks. The practitioners working through that gap are building something more sophisticated than what came before.
The Universe Is Larger Than Most Oversight Frameworks Can Keep Pace With
A modern asset manager may depend on 15 to 25 core providers for a single institutional fund and 40 to 75 provider relationships across a broader platform. For global, multi-asset, multi-jurisdiction managers, the total can exceed 100 once systems, data vendors, regulatory providers, banks, and sub-service providers are counted. In 2026, that universe extends well beyond the traditional tier of administrator, auditor, custodian, and fund counsel.
Any third party that supports the manager's investment process, fund operations, investor servicing, regulatory obligations, books and records, cybersecurity, data, communications, treasury, or asset-level operations belongs in the oversight conversation. That means cloud providers, AI tools, CRM systems, pricing vendors, background check providers, electronic communications archives, banks, and cybersecurity firms, alongside the traditional fund vendors.
| Category | Examples | Why It Belongs in Oversight |
|---|---|---|
| Fund Operations | Administrator, transfer agent, registrar | NAV, capital activity, investor records |
| Asset Safekeeping | Custodian, depositary, trustee, prime broker | Asset protection, reconciliation, counterparty risk |
| Legal & Regulatory | Fund counsel, ManCo, AIFM, Responsible Entity | Formation, governance, licensing, regulatory accountability |
| Finance & Reporting | Auditor, tax adviser, valuation agent, pricing vendor | Financial statements, tax reporting, valuation integrity |
| Technology & Systems | OMS, PMS, accounting system, investor portal, CRM | Core operating infrastructure; operational resilience |
| Data Providers | Market data, ESG data, sanctions data, benchmarks | Investment, compliance, reporting, and valuation inputs |
| Electronic Comms | Email, chat, mobile archive, call recording | Books and records, supervision, regulatory exams |
| Cyber & Resilience | Cloud, identity, backup, incident response | Operational resilience and breach response |
| Banking & Treasury | Operating bank, fund bank, fund finance lender | Liquidity, payments, management company continuity |
| Asset-Class Specialists | Property manager, loan servicer, technical adviser | Strategy-specific operating risk |
Data Vendors Are Not Neutral Inputs
Data providers increasingly feed regulated outputs: NAV, valuation support, risk models, ESG claims, benchmark comparisons, sanctions screening, investor reporting, and marketing materials. A pricing vendor affects valuation. A sanctions data provider affects onboarding decisions. A benchmark provider affects performance presentation. An ESG data provider affects product claims. These vendors are not passive information sources; they are part of the manager's control environment. Oversight should cover source methodology, refresh frequency, exception handling, sub-vendors, and what happens when the data is wrong.
Background check providers also belong in the provider map. They support employee screening, key-person diligence, founder diligence, borrower diligence, investor onboarding, sanctions screening, adverse media review, anti-bribery checks, and counterparty review. For private markets strategies, the output of a background check can directly affect investment approval, reputational risk, and investor confidence.
Fund-Level and Manager-Level Providers Are Not the Same Thing
The fund vehicle (the LP fund, AIF, or scheme) and the management company are legally distinct entities with separate risk profiles. Service providers work for one, the other, or both. Failures at each level have different implications, different remediation timelines, and different impacts on investors. Oversight frameworks that treat them interchangeably miss risks at both.
- Fund Administrator
- Fund Auditor
- Fund Counsel (formation)
- Custodian
- Depositary (AIFMD)
- Registrar / Transfer Agent
- Independent Valuation Agent
- Fund Tax Adviser
- Fund Directors / Board
- Subscription Credit Facility Lender
- Loan Administrator (credit funds)
- Property Manager (real estate funds)
- Operating Bank
- Payroll Provider
- Corporate / Employment Counsel
- Compliance Consultant / CCO
- Placement Agent
- CRM
- Portfolio Management System
- Email, Chat & Mobile Archive
- Cloud Provider
- Cybersecurity Provider
- Background Check Provider
- AI & Data Platforms
Scale, Consolidation, and the New Entrant Dynamic
Global alternative assets under management reached $23 trillion in 2024, up from $10.7 trillion in 2020. The trajectory toward $40 trillion by 2030 reflects structural demand, not a cycle. Private wealth platforms, DC plan inclusion, and institutional re-allocations toward private markets have all broadened the LP base, deepened the asset class mix, and extended the geographic footprint of managers and their providers.
Source: Preqin Global Alternatives Report 2025; McKinsey Global Private Markets Review 2025
Consolidation at the Top, Specialisation at the Edges
The fund administration market tells a story in two parts. At the top, consolidation has been significant: SS&C administers more than $2.5 trillion in alternative assets; Apex Group has built a presence across more than 50 offices in 40 jurisdictions through serial acquisition. Industry estimates suggest the top five administrators hold approximately 38 to 42% of global market revenues.
But the same growth wave has simultaneously created space for specialist entrants. The expansion of private credit, infrastructure debt, CLO administration, and NAV lending has created genuine demand for administrators with deep asset-class expertise. Generalist platforms built on legacy PE or hedge fund infrastructure do not always carry that expertise. Boutique administrators serving specialist strategies have emerged and grown in parallel with the market leaders. Both dynamics are real and ongoing.
M&A Integration Risk: What Managers Should Be Asking
Consolidation among service providers introduces a category of risk that deserves its own scrutiny: integration execution. When an administrator acquires a smaller firm, or a compliance platform merges with a data provider, the operational reality for existing clients can shift materially, even when the commercial relationship stays nominally the same.
The risks most worth examining are staff retention and continuity, system migration timelines, and service level maintenance during transition. The relationship manager and operational team who built institutional knowledge about a fund's specific structure (its waterfall logic, its side pocket treatment, its LPAC cadence) may or may not survive an acquisition intact. System migrations that affect NAV calculation or reporting delivery can introduce new error vectors. And the service level commitments in the original contract may not have contemplated a change in underlying infrastructure.
| Integration Risk | What to Ask |
|---|---|
| Staff continuity | Has the dedicated team changed since the acquisition? Who is now accountable for this relationship? |
| System migration | Has the fund's data been migrated to a new platform? Was there a parallel-run period? Were any discrepancies identified? |
| Service level | Have NAV delivery timelines or reporting formats changed? Has the SLA been renegotiated post-acquisition? |
| Contractual continuity | Has the engagement agreement been novated? Are the original terms still in force? |
| Sub-contractor chain | Has the acquisition introduced new sub-service providers who now sit in the operational chain? |
Not Every Provider Requires the Same Level of Oversight
The right question is not whether a provider exists. It is whether failure of that provider would affect investors, NAV, trading, regulatory compliance, data security, liquidity, asset protection, or the manager's ability to operate. A practical criticality framework sorts providers by consequence of failure.
Importantly, criticality is not fixed. The appropriate level of oversight for a given provider depends on the manager's jurisdiction, strategy, regulatory obligations, and the maturity and operational resilience of the provider itself. A CLO trustee is existential for a credit fund and irrelevant for a long-only equity manager. A ManCo is a regulatory gateway for a non-EU manager and entirely absent from a US-only strategy. The table below is illustrative; the actual map should be built around the specific fund's context.
| Criticality | Definition | Illustrative Examples |
|---|---|---|
| Critical | Failure could stop fund operations, impair investors, breach regulation, or compromise assets or data | Administrator, custodian, depositary, prime broker, operating bank, communications archive |
| High | Failure would materially disrupt reporting, compliance, fundraising, valuation, or investor servicing | Valuation agent, AML/KYC vendor, CRM, tax adviser, regulatory filing provider |
| Medium | Important but replaceable with manageable lead time | Data room, DDQ platform, market intelligence, HR systems |
| Low | Helpful but not core to fund operations or regulatory obligations | General marketing support, event vendors |
On Administrators: Scope Matters More Than Name
The fund administrator is often treated as a single relationship. It is not. Administrators can be engaged for some functions and not others, and the DDQ may still name the provider without specifying what is actually covered. Reviewing the actual engagement agreement is the only reliable way to know who is doing what.
For private markets managers, the independent valuation agent is the most consequential provider to verify. In VC in particular, administrators often exercise limited practical control over valuations. Authority frequently rests with the manager, creating the very conflict the structure is meant to prevent.
SOC certifications also warrant direct scrutiny. Not all administrators hold ISO and SOC 1 certifications. Where SOC reports exist, confirm it is Type II, not Type I, and that the audit scope is meaningful. A qualified opinion is not a routine finding. It warrants follow-up: is this consistent across review periods, and what is the manager actually doing in response?
What Operational Failures Have Taught the Industry
The cases that have shaped ODD practice most are not the ones involving poor investment decisions. They are the ones where the operational infrastructure failed, was compromised, or was more fragile than it appeared. Each one has contributed to how the industry approaches service provider diligence today.
Weavering Macro Fixed Income Fund collapsed in March 2009 with investor losses exceeding $450 million. The fund's primary assets, interest rate swaps valued at more than $630 million, were held with a BVI counterparty majority-owned and controlled by the fund's own portfolio manager. The swaps were essentially worthless. The NAV had been materially misrepresented for years.
The fund's independent directors were close personal relations of the manager. The administrator had flagged the related-party swap exposure in quarterly reports. The information was available. It was not acted on. The Grand Court of the Cayman Islands later ordered both directors to pay $111 million each for neglecting their duties. Over 60% of the fund's assets were priced directly by the counterparty, a concentration that standard DDQs of the era would have missed by asking only whether assets were "independently valued."
Millennium Global Emerging Credit Fund used GlobeOp as both administrator and valuation agent. The DDQ stated that no assets were valued in-house and that GlobeOp valued 100% of the portfolio. Both statements were accurate. GlobeOp obtained monthly marks from third-party brokers who were receiving undisclosed payments from the portfolio manager in exchange for inflated prices. The process operated exactly as described, and produced systematically false results.
When Silicon Valley Bank failed in March 2023, management companies with operating accounts at SVB were unable to process payroll for days. LP capital in the funds was untouched; the fund-level structure worked as designed. The disruption was at the management company level: payroll, vendor payments, and day-to-day operations.
The episode was a prompt for the industry to examine a dimension of operational risk that had been underweighted: the banking relationships of the management company itself, as distinct from the fund. Questions about operating account concentration, backup banking arrangements, and business continuity at the GP level are now part of many institutional DDQ templates.
Electronic Communications as a Regulatory Dependency
Email, chat, mobile messaging, call recording, and collaboration tools are part of the manager's books-and-records environment. If business is conducted through a channel, the manager must be able to retain, supervise, and produce it. The provider managing that infrastructure carries genuine regulatory exposure. It is not an IT vendor in the traditional sense.
In 2022 and 2023, the SEC and CFTC imposed over $2 billion in fines across 16 major financial institutions for recordkeeping failures related to off-channel communications, primarily WhatsApp and personal devices used for business. The enforcement pattern is now extending to asset managers. The 2024 amendments to Regulation S-P further require that any provider handling investor nonpublic personal information, including communications platforms capturing LP interactions, must contractually commit to data safeguard obligations.
| Provider Type | Key ODD Question | Red Flag |
|---|---|---|
| Email Archive | Are records immutable, searchable, and retained for the required period? | No WORM storage; gaps in retention |
| Chat Archive | Are Slack, Teams, and Bloomberg messages captured, including edits and deletions? | Chat platforms used for business decisions are unarchived |
| Mobile / Personal Device | Are SMS or WhatsApp used for business? If yes, are they captured? | "We have a policy against it" without a technical control |
| Surveillance Platform | Are communications reviewed for MNPI risk and conduct concerns? | Archive exists but no active surveillance or review cadence |
AI Is Now Embedded Across the Provider Ecosystem
AI is no longer a category of service provider on its own. It is embedded within most categories. Fund administrators use AI for document ingestion and reporting. AML providers use it for screening. ODD platforms use it for DDQ automation. Data providers use it for analytics. Cybersecurity vendors use it for threat detection. The question for managers and allocators is no longer whether their providers use AI (most do), but how it is governed, where the human review points are, and what the failure modes look like when AI output is wrong.
In fund administration, AI-driven document ingestion has materially reduced the manual burden of portfolio company data collection. In due diligence, AI-generated analysis can compress the time from data collection to first-pass assessment from weeks to hours. These are genuine operational improvements. They also introduce new vectors: extraction errors that compound in financial statements, and automated outputs accepted without sufficient human review.
Roughly 70% of allocators are now asking managers about AI use as a baseline disclosure question. The trajectory mirrors how cybersecurity diligence evolved: disclosure becomes governance, and governance eventually becomes a threshold requirement.
Hallucinations in DDQ responses are a specific concern. AI tools drafting responses to allocator questionnaires can misinterpret a manager's own policies, not through fabrication, but through misreading nuanced internal documents. Human review before submission is not optional.
Deepfakes are creating friction in callback and verification procedures. Voice-based verification has been a practical cornerstone of fraud prevention. AI-enabled voice synthesis is eroding its reliability, and no widely adopted replacement standard has yet emerged.
The offensive dimension is underweighted. The same tools improving operational efficiency are being deployed against firms through more sophisticated phishing, synthetic identity fraud, and social engineering. Staff awareness training has not kept pace with the attack surface.
| AI Application | Operational Benefit | Governance Requirement |
|---|---|---|
| DDQ Automation | Faster response cycles; consistency across questionnaires | Human review of every response before LP submission; version control |
| Document Ingestion | Reduced manual data entry; faster LP reporting | Reconciliation against source documents; materiality thresholds for human review |
| AML/KYC Screening | Faster onboarding; consistent monitoring | Human escalation protocols; regular tuning of screening parameters |
| General LLMs | Research acceleration; first-draft analysis | Written AI use policy; data processing agreement with vendor; no LP data to unvetted APIs |
| Verification / Identity | Faster initial checks | Multi-factor verification; no single-channel trust for consequential decisions |
Regulation Is Formalising What Practice Has Long Expected
Three regulations that took effect between 2024 and 2025 have moved service provider governance from best practice to documented obligation. They are worth understanding not as compliance requirements in isolation but as codifications of expectations that institutional allocators and experienced practitioners have held for some time.
DORA requires EU financial entities, including AIFMs and UCITS ManCos, to identify, assess, contractually control, and monitor ICT third-party service providers, with heightened expectations for providers supporting critical or important functions. Contracts must include specific provisions such as service levels, data location requirements, incident notification, audit rights, and exit planning. Cloud providers may face direct EU regulatory oversight if classified as critical ICT third-party providers. The ICT vendor list is now a regulatory artifact.
At the London roundtable, practitioners noted that European allocators hold materially higher expectations for third-party risk governance than the current US framework requires, particularly around valuation independence.
CPS 230 extends oversight to fourth parties (the vendors of the vendors) and explicitly identifies investment management and fund administration as critical operations for superannuation fund licensees. Australian super funds must now conduct documented ODD on external managers and on those managers' service providers. For managers with Australian super fund LPs, documented service provider oversight is a fundraising prerequisite.
The 2024 amendments extend safeguard obligations to service providers handling investor nonpublic personal information. Contracts must require appropriate safeguards and 72-hour breach notification. Fund administrators, CRMs, communications platforms, and AI tools processing LP data all now require contractual data protection provisions. Data governance has become a vendor contract issue, not just an internal policy matter.
Regulatory Themes and the Providers They Touch
| Regulatory Theme | Provider Categories Affected |
|---|---|
| DORA / ICT resilience | Cloud, cybersecurity, data centres, core systems, communications platforms |
| CPS 230 / operational risk | Material outsourced providers, administrators, banks, technology vendors, sub-advisers |
| Reg S-P / privacy safeguards | Administrators, investor portals, CRM, AML/KYC vendors, AI tools, communications archive |
| Books and records | Email, chat, mobile archive, OMS/EMS, CRM, marketing systems, DDQ platforms |
| SEC Marketing Rule | Placement agents, promoters, pitchbook vendors, factsheet tools, performance reporting systems, websites |
| UK FCA operational resilience / outsourcing | Cloud, outsourced operations, administrators, custodians, technology providers, communications systems |
| AIFMD / UCITS delegation | ManCo, AIFM, depositary, delegates, valuation agents |
| AML / sanctions | KYC providers, administrators, transfer agents, banks |
| Custody / safekeeping | Custodians, depositaries, trustees, prime brokers |
What Mature Service Provider Governance Looks Like
Studies of operational failures in asset management consistently show the same pattern: the gap is rarely the absence of providers. Most failed funds had administrators, auditors, directors, and valuation agents. The gap was in the governance around those relationships: whether the providers were genuinely independent, whether oversight was active, and whether anyone had real escalation authority when something needed to be raised.
Managers who handle service provider governance well share four observable characteristics. They maintain named internal ownership for every critical provider relationship, a specific person, accountable for the relationship, who would notice if the service level degraded. They conduct formal annual reviews against documented standards, with minutes that can be provided to allocators on request. They have articulated contingency plans: not paragraphs in a business continuity document, but operational blueprints for what happens if a critical provider exits. And they disclose proactively: a delayed NAV, a compliance system outage, or an auditor change goes to LPs before they ask.
The execution challenge is real. For most firms, provider information still lives across DDQs, spreadsheets, contract folders, SOC reports, and ad hoc email exchanges. That fragmentation is itself a governance gap. A centralised provider inventory, repeatable review workflows, criticality scoring, and documented evidence that reviews occurred, not just that they were scheduled, is the infrastructure that makes governance visible and defensible.
"You can outsource the function. You cannot outsource the risk."
Cayman ODD Panel · April 2026Five Questions ODD Teams Should Be Asking Now
| Question | Why It Matters |
|---|---|
| Do we have a complete inventory of fund-level and manager-level providers? | Most oversight gaps sit outside traditional fund service provider lists. |
| Which providers are critical, high, medium, or low risk? | Oversight should be proportional to the consequence of failure. |
| Which providers touch investor data, books and records, regulated communications, or valuation inputs? | These create regulatory, privacy, and investor protection obligations. |
| Do legacy contracts include cyber, privacy, incident notice, audit rights, sub-service provider, and exit provisions? | DORA, Reg S-P, CPS 230, and operational resilience expectations all make contract terms more important. |
| What is the exit plan if the administrator, operating bank, cloud provider, archive vendor, or CRM fails? | Critical provider oversight requires transition plans, not just annual reviews. |
The Fund Service Provider Network Map
50+ providers · Filter by level, criticality, stage, owner, asset class · Who internally owns each relationship
What the Diligence Network Sees
DiligenceVault connects 250+ allocator teams and 20,000+ asset managers across 150+ countries. Every DDQ submitted, every service provider named, every disclosure made. Over time, this builds a picture of what genuine operational governance looks like across the ecosystem. In practice, at scale, across market cycles.
Network-level intelligence reveals patterns that point-in-time questionnaire data cannot: where risks cluster, which provider relationships are genuinely independent, and which managers treat operational governance as a discipline rather than a filing exercise.
For allocators and managers, the next step is turning that visibility into repeatable, evidence-backed oversight.
Talk to DiligenceVault →Selected sources: Preqin Global Alternatives Report 2025; McKinsey Global Private Markets Review 2025; Grand View Research fund administration services market forecast; SS&C Technologies and Apex Group public disclosures; SEC and CFTC enforcement releases on off-channel communications (2022–2024); EU Digital Operational Resilience Act (DORA); APRA CPS 230; SEC Regulation S-P amendments (2024); Cayman Islands Grand Court rulings in Weavering Capital (2011–2015); public enforcement and litigation records relating to Millennium Global Emerging Credit Fund; DiligenceVault ODD Roundtable proceedings (London, NYC, Cayman 2025–2026).