Resilient business models

Evolving Asset Management Regulation Report 2023

The way in which asset managers manage risks is a constant theme for regulators, not least within the context of financial stability. Regulators are acutely aware of the threat of any type of disruption to firms and their customers, particularly in times of stress.

Greater reliance on third-party suppliers raises concerns around remaining substance in asset management firms and their oversight of the suppliers (see Chapter 7), but also about the resilience of those third parties. Cyber threats are highlighted as a key risk and technology-led business transformation and recognition of the global interconnectedness of the financial system have led to increased focus on the resilience of end-to-end business operations. And the adequacy of asset managers' financial resources and broader risk and control frameworks is also under review.

See below for more detail on the key themes

The Australian Prudential Regulatory Authority released a new draft cross-industry prudential standard (CPS 230) on operational risk management, which underpins the more general risk management standard (CP220) and replaces several existing standards, including those on business continuity management and outsourcing. The key themes of the new standard are that firms should be prepared for risk events, be resilient, and protect the entity and the community. Areas of focus are operating model, critical operations, material service providers, business continuity, incident management and controls management.

In the light of financial infrastructure concerns linked to possible civil unrest, pandemics, climate events etc., the prudential authority in South Africa has issued guidance for banks and insurers on operational resilience. It will impact asset managers that are part of such groups, but stand-alone asset managers also regard this as a very important topic.

Regulators around the globe are emphasizing the need for firms to evidence strong third-party risk management and oversight, to improve and maintain their operational resilience. The Financial Stability Board (FSB) consulted on a toolkit for financial authorities and financial institutions to enhance risk management and oversight of third parties. The aim is to reduce supervisory and regulatory fragmentation across jurisdictions, facilitate stakeholder coordination, and strengthen third-party risk management and the resilience of the financial system. The toolkit's primary focus is on critical services, given the potential impact of their disruption on financial institutions' critical operations and financial stability. It comprises:

A list of common terms and definitions to improve clarity and consistency, and to improve communication among relevant stakeholders.
Tools to help firms identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship.
Tools for supervising how firms manage third-party risks, and for identifying, monitoring and managing systemic third-party dependencies and potential systemic risks.

The UK regulators consulted on managing the risks associated with critical third-party providers and subsequently requested further information on the costs and benefits of introducing a regulatory regime for them. The UK government would be able to designate certain third parties as “critical”, with the regulators then setting and monitoring minimum resilience standards.

Similarly, to complement the incoming Digital Operational Resilience Act (DORA), which takes effect from January 2025, EU regulators consulted on criteria for critical ICT¹ third-party service providers. They also sought views on draft standards to implement a consistent framework across ICT risk management, incident reporting, and third-party risk management. DORA will set uniform requirements for the security of network and information systems of financial services firms (including asset managers) and of critical third parties. In parallel, the Luxembourg regulator introduced a new template for reporting critical ICT providers (following previous guidance to harmonize the framework governing outsourcing arrangements).

The US SEC²has proposed to require registered investment advisers (RIAs) to satisfy specific due diligence and ongoing monitoring over certain third parties. The rule would apply to advisers that outsource certain “covered functions,” which include those that are necessary for providing advisory services in compliance with the Federal securities laws and that if not performed, or performed negligently, would result in material negative impact to clients. Additionally, the proposal would require RIAs to conduct due diligence and monitoring for all third-party recordkeepers and to obtain reasonable assurances that the recordkeepers will meet certain standards.

The CSSF³ clarified its expectations of Luxembourg administrators and requirements around the delegation of activities such as fund accounting and the calculation of the fund's NAV⁴. Administrators must perform controls, checks and validation in accordance with the CSSF's circular. Where firms rely on systems outside Luxembourg, the local administrator must keep a secure, daily backup of all accounting and registrar positions within the European Economic Area.

Some jurisdictions have introduced new rules or guidance for banking groups, which will impact bank-owned asset managers but not others. For instance, changes to outsourcing regulations in Poland, intended to simplify procedures and harmonize them with the EU-level guidelines on outsourcing arrangements, include liberalization of the outsourcing chain, which is currently limited to one level of sub-outsourcing. Another fundamental reform is the introduction of notifications (instead of the need to obtain regulatory authorization) for the outsourcing of activities performed outside the EEA.

With links to discussions on financial stability (see Chapter 3), increased use of technology (see Chapter 5) and oversight of activities outsourced to third parties, regulators are introducing specific rules and guidance for the management of cyber risk by firms. The FSB noted the importance of timely and accurate reporting on cyber incidents, particularly in the context of financial stability. It set out 16 recommendations to address practical challenges associated with the collection of information about cyber incidents, including setting appropriate and consistent thresholds for reporting.

Other efforts to promote information sharing are also underway. In the UAE, the Dubai regulator launched a cyber threat intelligence platform to help firms mitigate cyber risk, and authorities across the UAE hosted the second edition of their cyber risk supervisory college to discuss best practice and areas for collaboration. And the US Treasury and Singapore MAS conducted joint exercises to strengthen cross-border cyber incident co-ordination and management.

The US SEC re-opened the comment period on proposed new rules on cyber risk management and privacy for asset managers and funds. The rules cover several areas, including safeguarding of customer information, notifying customers of data breaches, contracts with third parties and record keeping. Firms would be required to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks, and to file incidents promptly with the regulator.

The SEC Division of Examination has included information security and operational resiliency as one of its 2023 priorities. It is reviewing RIAs' practices to prevent interruptions to safeguard customer records and information. This includes cybersecurity issues associated with the use of third-party vendors, firms' visibility into the security and integrity of third-party products and services, and monitoring for firms' unauthorized use of third-party providers.

Information and ICT security are top of the agenda for other regulators. As well as covering aspects of operational resilience and third-party oversight (see above), the European Supervisory Authorities' consultations will contribute to EU efforts to prevent and mitigate cyber threats.

The Dubai Financial Services Authority, UAE, reviewed firms' cyber security arrangement against its guidelines, and issued a consultation paper on cyber risk management requirements and proposals relating to the regulator's role in supporting innovation in financial services. The review found that firms had made progress in building tangible cyber resilience capabilities but were still lacking in key areas. The regulator believes that continued supervisory effort is needed to encourage the appropriate outcomes. It proposes to convert existing guidelines into rules and supporting guidance.

As part of its ongoing focus on cyber resilience, the MAS has established a new FS Cloud Resilience Forum, for Asia Pacific financial regulators and cloud service providers to exchange views on appropriate public cloud risk management practices for the financial sector. The first meeting of the Forum noted that information sharing between regulators and providers will be critical, in addition to firms maintaining high standards of operational resilience.

Given a recent incident in Canada, when a local service provider lost fund unitholder data, Canadian fund managers expect to see some targeted supervisory activity on cyber security by the securities regulators.

The Autoriteit Financiële Markten (AFM) in the Netherlands shared findings and best practices about the reporting of incidents by firms to the regulator. Based on a deep-dive review, it identified possible causes for the failure of firms to notify incidents:

Firms' policies, procedures and measures are not always adequate.
There is room for improvement in traceability of decision-making.
Firms sometimes focus too much on operational incidents (e.g. IT issues over inappropriate staff behavior).
Several firms rely heavily on the judgement of their staff.

Some regulators are concerned about other areas of risk management.

The Central Bank of Ireland (CBI) issued a “Dear CEO” letter to firms, highlighting its findings from a targeted review of control frameworks and risk appetite statements (RAS) in investment firms, including asset managers. The CBI had noted that firms must acknowledge the heightened risk environment, and ensure that changes to their risk identification and risk management processes are aligned with their risk appetite and with the best interest of consumers. The regulator found good practices (e.g. relating to updated risk compliance control functions and risk management frameworks). However, it also identified notable deficiencies, and required firms to conduct gap analyses and hold Board discussions on:

Governance and risk management frameworks, and RAS design.
Board oversight of compliance and risk matters.
Application of the RAS in managing material risks.
Reporting of risk appetite to the Risk Committee and Board.
Communication of risk appetite throughout the firm.

New rules for the private fund management industry in China include provisions that if a company involves major potential risks, it may be subject to additional filing and disclosure requirements.

In the US, if a mutual fund relies on the SEC's derivatives rule, the SEC Division of Examination will, among other things, assess whether firms have adopted and implemented policies and procedures to manage the fund's derivatives risks and to prevent violations of the rule. It will also review firms' implementation of derivatives risk management programs, board oversight, and whether disclosures concerning the fund's use of derivatives are incomplete, inaccurate or potentially misleading.

In the area of investment risk, the UK FCA's⁵ consultation on the future regulation of asset management includes proposals to clarify its expectations on due diligence of investments by portfolio managers. In its supervisory work, it found investment due diligence practices (including credit assessment) appeared inconsistent, and there have been some cases where material risks appeared to have been overlooked and consumers had suffered losses as a result. The regulator proposed to replace or reinforce the current high-level rules with clearer standards that would apply to all types of portfolio managers.

Regulators in a few jurisdictions have been updating the rules on capital adequacy for the industry. In some cases, the amendments are purely technical, but in other cases the new requirements could have a significant impact on some entities.

The CMA⁶ in Saudi Arabia revised its prudential rules for asset managers in April 2023 with key updates around capital adequacy in terms of methodology and reporting. In Australia the current financial resource requirements on the managed funds industry are to continue with no substantive amendments. However, in respect of superannuation schemes the regulator is actively considering changes to the structure and calculation of the operational risk reserve held within the fund (although at this stage no formal change to the law has been made). Additionally, where a Commonwealth penalty is levied against a superannuation trustee or its directors, the law now provides that the penalty cannot be paid out of the fund assets. This has led superannuation trustees to consider what level of capital reserves need to be held on the corporate account of the superannuation trustee entity (outside fund assets) to guard against any penalty risk.

Under the prudential requirements set out in the EU Investment Firms Directive and Regulation, national regulators have discretion in some areas to apply stronger requirements. Sweden has introduced changes to its laws to implement the new EU rules, including reference to “very large investment firms”, but there are currently no such firms in Sweden.

The CBI has decided to require all Irish MiFID⁷ investment firms (which includes asset managers) to review their own risks and ensure they have adequate capital and liquidity, regardless of their size. The regulator believes that all firms should undertake a regular exercise to assess and maintain the adequacy of the quantity, quality and distribution of internal capital held, proportionate to the nature, scale and complexity of the firm. Firms that pose less risk and/or have simple business models may establish a simpler, more appropriate internal capital and liquid assets assessment process, but they must comply with a minimum liquidity requirement.

The CBI is also concerned that Irish fund management companies that perform the MiFID activity of portfolio management for other clients should hold sufficient capital to reflect these additional activities. It therefore consulted on the introduction of requirements that are in line with the capital requirements for MiFID investment firms.

The UK FCA conducted a multi-firm review of implementation of the UK equivalent of the EU rules. The regulator provided feedback on areas for improvement, including the need for greater clarity on the allocation of capital between group and individual firms, better justifying key assumptions (including linking capital/liquidity to the risk management process), and strengthening wind-down plans. It also noted that weak systems and controls continue to lead to inaccurate or incomplete regulatory reporting.

Actions for firms:

Identify and manage all potential operational risks through effective controls, monitoring and remediation as needed.
Review oversight arrangements over third-party providers, including policies and procedures, formal agreements, and robust monitoring arrangements.
Review information security arrangements to ensure there are clear policies and procedures in place to address cyber-related risks, as well as recovery and incident response plans.
Assess whether sufficient capital and liquidity is held, having reviewed all potential risks to the business, and whether wind-down plans are complete and practical.