From Manual Processes to Sophisticated Risk Management: How Calastone Transformed TPRM with Whistic

Calastone, the largest global funds network, enables the automation and streamlining of fund trading, settlement, and distribution by digitally connecting fund managers, distributors, and asset servicers across the global asset-management market. 

As the global leader in fund connectivity, Calastone constantly innovates to uphold the highest standards of trust and efficiency. Processing hundreds of billions of dollars in transactions each month, Calastone identified an opportunity to elevate its third-party risk management (TPRM) approach. 

For Heather Keilliher, Calastone’s Client Due Diligence and Third-Party Risk Analyst, that meant moving away from an underperforming GRC tool and finding ways to increase automation and visibility. 

“Our previous GRC tool lacked the integration and responsiveness we needed to support rapid, insight-driven assessments. Too many fragmented steps made even simple tasks time consuming.”

Kelliher is responsible for both responding to vendor assessment requests from Calastone customers and vendor due diligence during procurement, so she needed a dual-sided solution that could provide speed, insight, and trust on both sides of her role. 

The AI-powered Whistic Platform allowed Kelliher to respond more quickly to their customers, improve risk outcomes by increasing visibility and control, and deliver instant decision-making insight about Calastone’s vendors by automating assessments with AI. 

The Challenge: Resource intensive and Limited Visibility

When Kelliher joined Calastone’s cybersecurity team, she encountered some key pain points in both assessment responses and procurement:

• Manual document management. ”Our old system made it very hard to do my job,” recalls Kelliher. “We didn’t have a centralized system for our security documentation, so responding to a customer or evaluating the risk potential of a vendor was a lot of internal detective work to find info and get all our documentation in a single place.”
   
• Disconnects with her team. Calastone’s relationship managers (RMs) are often part of the assessment response process, but getting them the right answers and documentation in a secure way created hiccups. “The RMs need a way to respond to our customers in a timely, accurate way—without sharing sensitive information over insecure channels,” says Kelliher. “With documents spread among fragmented systems, there were often delays and uncertainty in the process”
   
• Lack of decision-making insight. “I need the intelligence about our own security posture and risk profile fast,” says Kelliher. “Without an on-demand way to access fast answers, I was almost reduced to memorizing our policies to move more quickly.”
   
• Poor visibility. Trust is paramount to Calastone’s customers, and their old GRC platform made it much harder to maintain strong access controls during an assessment. As Kelliher explains, “We needed a better, more secure way of sharing information with customers and vendors that would allow us to have full visibility into where documents were sent and who had viewed them.”

The Transformation: Implementing Whistic

When Calastone discovered the Whistic Platform in a Shared Assessments committee meeting, Kelliher knew she’d found a comprehensive solution that solved several problems at once.

“We are a market leader in automation across our global network,” she says, “so we need to invest in a TPRM program that reflects those values with tools that match our promise to our customers. Whistic AI hit the mark for us in a big way.”

Specifically, Calastone uses Whistic Trust Center and Whistic Assess to address three critical needs:

1. A sophisticated Trust Center for quickly, securely sharing documentation with clients
2. AI-powered document analysis for faster vendor assessments
3. Streamlined vendor onboarding with clear workflows and risk scoring

The Results: Efficiency, Security, and Confidence

After implementing Whistic, Calastone experienced significant improvements across multiple areas:

Enhanced security, accuracy and control 
Whistic Trust Center eliminated the feeling of document fragmentation at Calastone by centralizing security info and giving Kelliher full visibility and control—all without making InfoSec a chokepoint in the process.

“Whistic makes it simpler for my internal stakeholders to get the information clients are asking for safely; I have total visibility and control into document access, so I know what’s being shared and who can view it without having to do it all manually or by email. Our thoroughness and responsiveness is so much better,” says Kelliher. 

AI-Driven Speed 
Whistic Trust Center also utilizes Smart Response, an AI-powered capability that automates assessment response by providing context-rich answers to incoming questionnaires. This means the memorization exercises to try and learn every policy to the letter are over for Kelliher. 

“With Whistic AI, the documents themselves are the response library. That means I don’t have to spend any time manually maintaining the library or maintaining a whole separate system for security responses. The Whistic Trust Center sources our selected documents and delivers the answers we need right away.”

AI-Powered Insights
The speed and accuracy of Whistic AI also provide Kelliher and her stakeholders with richer insight into risk factors with vendors. “When we receive a question from a customer, it’s like we have our own personal Google at our fingertips. Whistic’s AI doesn’t just give us answers: it also gives us a confidence score and sites specific sources down to the sentence where the evidence is. It's pretty neat.”

She was also able to identify discrepancies in Calastone’s own security posture. “We noticed that our own policies didn’t always align perfectly to what our SIG report was telling us. With Whistic AI, we were able to spot these vagaries at a glance and reconcile them,” explains Kelliher.

Streamlined Vendor Assessments 
Kelliher uses Whistic’s AI suite—Assessment Copilot—to automate the assessment of Calastone’s own vendors. The Vendor Summary tool has been especially useful in creating time savings and efficiency. “I love using Vendor Summary; it’s a really, really big help. I just plug vendor documents into Whistic and begin the automated review. It matches those documents against our compliance standards and generates an entire report in minutes.”

She’s even found that Vendor Summary helps her utilize a wider range of security info to accelerate the assessment process. “I have one use case where the vendor supplied me with one of their white papers; I was able to use that with the Whistic assessment workflow to answer our risk questions.”

And the reporting and visibility Vendor Summary provides has also been a huge win for Kelliher: “I’m able to produce a very clear, concise report with an easy-to-read layout; all the questions, responses, confidence scores, and answer rationale are right there.”

Professional Image and Trust 
By adopting Whistic, Calastone reinforces its reputation as a trusted and innovative force in global fund connectivity. The ability to securely and transparently share risk and compliance information strengthens client confidence and reflects Calastone’s broader commitment to operational excellence, digital transformation, and proactive governance. 

As Kelliher says, “Whistic’s platform gives our clients and vendors comfort in openly sharing information and communicating. They know it’s encrypted, their data is secure, and that we walk the walk when it comes to our forward-thinking values. It instills a level of confidence and sophistication that our customers expect and trust.”

By implementing Whistic, Calastone has taken a significant step toward modernizing its TPRM practices, building trust with customers, and establishing more efficient security documentation workflows.

Calastone is currently preparing for their SOC 2 audit, and the improvements Kelliher has overseen will make that go much more smoothly. The move from low-visibility processes to automated workflows also better reflects their position as a leader in their space—and better positions them as a growing business poised to take the next big step forward. 

Interested in learning how Whistic's AI-first platform for third-party risk management can help you deliver the innovative TPRM your business needs? Set up some time to chat with our team of experts, and we'll show you how it works!