Institutional diligence has mature playbooks for two situations. If you are underwriting a fund manager, the industry hands you a well-worn path: the standard ODD questionnaire, administrator confirmations, the on-site visit. If you are a retail trader wondering whether a $99 trading bot is a scam, the internet supplies endless red-flag listicles. But a growing number of family offices, fund managers, and advisers now face a third situation that is neither: licensing an external trading strategy: running a vendor's systematic model inside accounts the allocator still controls. The fund-manager DDQ does not quite fit, because no capital changes hands and there is no commingled vehicle to audit. The retail checklist is beneath the transaction. The gap between the two is exactly where diligence mistakes happen.
The stakes are the same ones operational due diligence has always guarded against. In J.P. Morgan's Institutional Investor Survey (2019, covering 227 allocators overseeing roughly $706 billion), a third of allocators reported having declined an otherwise attractive investment solely because it failed operational due diligence. And Capco's classic study of hedge fund failures found that roughly 50% were operational failures, not investment losses. There is no reason to believe a strategy vendor deserves less scrutiny than a fund; in several respects it deserves more, because fewer third parties sit between you and the provider.
One in three allocators has killed an investment purely on failed operational due diligence: the strategy was fine; the operations were not. For strategy licensing, the lesson is direct: the model is only half the file.
What follows is the framework the category is missing: seven areas, ordered the way an ODD team would actually work through them.
Every diligence failure in this market starts the same way: a performance figure was accepted at face value. So the first area is the one that filters hardest.
Every systematic track record has two segments: the simulated portion and the portion earned with real orders in a live market. A credible vendor states, in writing and with dates, exactly where one ends and the other begins. If the provider blends the two into a single equity curve, or cannot tell you the date the strategy first traded live, stop there. Standard ODD practice treats backtest-versus-live delineation as a baseline requirement, and it applies to a strategy vendor at least as much as to a fund.
Live performance should be verifiable by someone other than the vendor: broker statements, a fund administrator's confirmation, or read-only access to a tracking account. The gold standard remains the Global Investment Performance Standards (GIPS): more than 1,600 organizations claim compliance, including all of the top 25 global asset managers for some or all of their assets (CFA Institute, January 2024). Most strategy vendors will not be GIPS-verified, and that alone is not disqualifying. But GIPS tells you what good looks like: composite records, no cherry-picked accounts, independent verification. Ask how close the vendor gets to that bar, and weight the answer accordingly.
The backtest is evidence, not proof. We have written before about why backtesting alone is not enough. In a licensing context, the interrogation has four prongs:
Every strategy underperforms eventually. The diligence question is not whether the model can lose but whether the system around it is engineered for the loss. Concretely:
These questions have a fuller treatment in our piece on risk management in algorithmic trading; for diligence purposes, what matters is that the vendor answers them in writing, specifically, and without hedging.
The single most consequential operational question: does your capital move? If the arrangement requires wiring funds to the vendor, or granting the vendor withdrawal authority, you have taken on the full counterparty and fraud exposure of a fund allocation, with none of a fund's administrator, auditor, or custodian protections. A zero-custody architecture (the strategy runs in your own brokerage account, the vendor holds trade-only permissions at most, and capital never leaves your control) removes the single biggest failure mode in this market. Recall the Capco finding: half of fund failures are operational. Custody is where the worst of those failures live.
Map exactly who at the vendor can touch the deployment: who holds API keys, who can modify live parameters, and how credentials are stored and rotated. Ask the key-person question: if the lead developer leaves tomorrow, can anyone else maintain the model? Then examine change control: is the strategy versioned, are changes logged and communicated before deployment, and can you decline an update? An unversioned strategy that changes silently is not the strategy you diligenced. For automated systems generally, our piece on whether AI trading agents are safe covers the security layer in more depth.
Most strategy vendors are not registered advisers, and depending on structure they may not need to be. But the regulatory perimeter around performance marketing still tells you a great deal about who you are dealing with.
The SEC's Marketing Rule (206(4)-1) sharply restricts advertising hypothetical performance (backtests, model results, targets) to general audiences, and it is actively enforced: a September 2023 sweep fined nine RIAs a combined $850,000 for hypothetical-performance violations, and five more firms were fined roughly $200,000 in April 2024. On the futures and forex side, CFTC Rule 4.41 applies anti-fraud standards to performance claims, and Rule 4.41(b) mandates the familiar cautionary statement on any simulated results; NFA Rule 2-29(c)(1) imposes a parallel disclaimer on member communications. The CFTC has charged signal sellers for passing off simulated track records as real, and its own investor guidance says to demand independent verification.
Use this asymmetry as a screen. A vendor who volunteers compliant disclosure (clearly labeled hypotheticals, the CFTC 4.41 statement, no outcome promises) is demonstrating operational maturity before you ask. A vendor advertising "verified 90% win rates" is telling you they either do not know the rules of their own industry or do not care. Either answer is disqualifying.
Licensing economics deserve their own discussion (see our guide to how licensing trading strategies works), but four contractual points belong in the diligence file itself:
Any single item below should stop the process until resolved. Two or more should end it.
Algo Alpha licenses systematic strategies to funds, family offices, and institutions on a zero-custody architecture, and welcomes exactly this diligence: a private walkthrough includes the dated track record, the risk architecture, and written answers to every question above.
Require a written, dated boundary between backtested and live results, then verify the live portion through an independent source: broker statements, a fund administrator's confirmation, or read-only access to a tracking account. GIPS compliance is the institutional gold standard: over 1,600 organizations claim it, including all top-25 global asset managers (CFA Institute, January 2024). Even where a vendor is not GIPS-verified, its principles (composite records, no cherry-picking, independent verification) define what a credible record looks like.
A backtest is a simulation of how a strategy would have performed on historical data; live performance is what the strategy actually earned with real orders in a live market. Backtests are vulnerable to overfitting, optimistic cost assumptions, and hindsight bias, so they systematically flatter strategies. Diligence treats the two as different classes of evidence, and regulators do too: CFTC Rule 4.41(b) mandates a cautionary statement on simulated results, and the SEC Marketing Rule restricts advertising hypothetical performance to general audiences.
The major ones: guaranteed returns or advertised win rates; refusal to allow independent verification of live results; equity curves that blend backtest and live without a dated boundary; sales pressure tactics such as limited slots or expiring pricing; no clarity on the legal entity behind the product; and any structure requiring your capital to move into the vendor's custody. Any one of these should pause the process; more than one should end it.
Not necessarily. Many legitimate strategy vendors operate as software or licensing businesses outside adviser registration, depending on structure and jurisdiction. What matters is regulatory posture: whether the vendor knows the rules that govern performance marketing (SEC Marketing Rule, CFTC Rule 4.41, NFA Rule 2-29) and complies voluntarily. Volunteered, compliant disclosure is a strong signal of operational maturity; ignorance of or indifference to those rules is a strong signal of the opposite.
For an institutional allocator, a reasonable strategy-vendor review runs several weeks: document collection and track-record verification first, then the backtest interrogation, operational and security review, and legal review of commercial terms. It is materially faster than full fund-manager ODD because there is no custody, administration, or valuation stack to audit, but it should never be compressed to days. A vendor who resists a multi-week process is itself a red flag.