This article has been written together with Eleonora Cambone.
“It was the best of times, it was the worst of times”.
Originally used by Charles Dickens to describe the turmoil of troubled nineteenth-century England, this phrase also happens to accurately summarize the current environment – its challenges and, most importantly, the improvement opportunities awaiting asset managers with regard to outsourcing.
In a COVID-19 scenario, ManCos and AIFMs are faced with several risks in need of mitigation, both on an internal front, such as operational resilience or regulatory continuity, and an external front, such as risks arising from third-party outsourcing. Nevertheless, such disruptions bring a new wave of opportunities for reviewing outsourcing operating models, testing their robustness and beefing up operational oversight programs.
Vulnerabilities of Luxembourg’s ecosystem
Luxembourg’s financial environment is inherently more exposed to third-party outsourcing risks because it relies extensively on an external web of support. Oftentimes, asset managers outsource their functions to more than one provider, and, consequently, have to oversee a multitude of operations on top of what goes on in house. According to Risk.net, several operational issues have materialized, ranging from cybersecurity to inadequate infrastructures for remote work, undermining the stability of the value chain.
In addition, asset managers and conducting officers find themselves with their hands tied: outsourcing a function does not equate to outsourcing the risks that come with it. On the contrary, it entails greater responsibility and increased oversight, especially now.
Reviews triggered by COVID-19
Increased awareness of the risks stemming from third-party outsourcing has given asset managers plenty to think about, propelling them to reconsider their models and inspiring the development of Outsourcing 2.0, a revised and more practical oversight approach – somewhat anticipated by the CSSF Circular 18/698.
Questions are arising around what to outsource, what to keep in-house, and how to select the counterparty in a way that minimizes risk. In particular, asset managers are questioning whether the initial due diligence exercises outlined in the Circular should encompass additional elements. Specifically, should it include increased scrutiny regarding Business Continuity Plans (BCPs), which are characterized by stress tests gauging the level of preparedness for disruptive situations, general IT infrastructure and governance mechanisms?
On the legal front, conducting officers are left with a bittersweet taste in their mouths due to the realization that contractual agreements and formalized operating memoranda have little actual power in fighting COVID-19. Although the binding documents contain clauses ensuring service delivery and compensation during even the toughest times, in reality, if these cannot be enforced, asset managers will suffer the highest consequences. Dangers related to operating difficulties, providing continuous service and reputational risks could ambush financial players when they are most exposed.
Asset managers raise the bar on vigilance
Asset managers have acted swiftly and already increased their surveillance over third-party delegates, particularly in terms of Key Performance Indicator (KPI) reviews. Typically performed monthly or quarterly, their frequency is now rising, amounting to sometimes daily operational checks. Entities reliant on outsourcing are emphasizing testing of third-party BCPs, working to understand their resilience and considering, for example, insourcing strategies or alternate services should others be at risk.
Drawing from the EMIR provisions on capital requirements, considerations are being made regarding the possibility that eligible third-party entities meet minimum capital requirements. This could bring peace of mind to asset managers by proving that their outsourcing parties are in a position to honor their obligations, regardless of the degree to which they are impacted by a pandemic.
With this in mind, the current challenges shed light on the flaws of operational risk governance and the systems in place. The weaknesses are emphasized by the fact that the Operational Risk Manager position is inconsistent across service providers. Meanwhile, these companies continue to strengthen and restructure their operational risk governance and framework, suggesting that current setups are still primitive. Once established, sound protocols and procedures will comfort conducting officers when they consider future and current delegates. In the near future, we might see conducting officers question the inclusion of outsourcing as a part of their models or double down on developing more complete frameworks.