Regulated fund managers: governance in 2021

As part of our annual investment management conference, partners Lora Froud and Alexandra Green hosted two sessions focusing on governance for regulated fund managers in 2021.

A number of topics were covered including operational resilience, culture and diversity and ESG; and the Financial Conduct Authority’s (FCA) expectations of regulated firms in these areas.

What is operational resilience and how should a firm start to assess its operational resilience?

Operational resilience effectively is just good business practice. From a regulatory perspective, it refers to a firm having robust controls to mitigate: (1) the risks posed to the firm’s business; and (2) harm to the firm’s customers from outsourcers and third-party service providers. In practice, this translates into a firm having good governance in place to deal with its people, processes, technology, facilities and data.

It is not surprising that firms’ operational resilience is a focus area for the FCA, particularly at the moment in the context of both Brexit and Covid-19, but it is not new. The FCA Handbook – through, for example, the SYSC organisational and outsourcing requirements – has for some time required firms to consider their operational resilience.

A useful first step is to identify all the services that the firm is reliant upon to conduct its business, encompassing both insourced and outsourced services. Then, the firm can whittle down the list to those that are business-critical, by considering the amount spent on those services and the volume of business reliant on those services, as well as senior management’s judgement of what is critical. The firm’s risk appetite statement (if it has one), peer firms’ practices and any insights from previous regulatory visits could also help a firm to compile a comprehensive list and a defensible position should it come under FCA scrutiny.

What are the FCA’s expectations around operational resilience in the context of outsourcing?

The FCA is consulting on potential new requirements, but in the meantime it has said that firms should have a comprehensive understanding and mapping of the people, processes, technology, facilities and information that underpin the delivery of their most important business services. The FCA places particular emphasis on the classification, and extensive and granular mapping, of various kinds of outsourcing and third-party dependencies. Firms therefore need to start preparing accordingly, by:

  • collating data to get as complete an understanding as possible of their outsourcing and third party services contracts; and
  • classifying those contracts, for example, by reference to business-critical dependencies under those contracts, and whether they are “critical” or “important”.

This should include identifying sub-contracting and cloud computing arrangements, and assessing their criticality or importance. Identifying and categorising intra-group arrangements as part of this exercise is also crucial and often quite challenging: historically, intra-group arrangements have tended to be less-well documented, and grouped companies sometimes operated “as one”, rather than as separate entities providing each other with arm’s length services, as the FCA would expect.

The next step would be for the firm to interrogate those arrangements it has identified as critical or important in a granular way. For example, in the context of outsourcing and data security, questions a firm may need to ask itself could include the following:

  • what are the firm’s standard data and information security and data protection standards, and how are they applied in the firm’s outsourcing contracts?;
  • is there a specific register or database of the firm’s data and information security, and data protection provisions as agreed in its outsourcing contracts, including any contractually agreed deviations or derogations, and a record of the firm updating those provisions to reflect updated regulatory or internal requirements?;
  • does the firm transfer to, or receive from, countries other than the UK personal or other data in the course of any outsourcing?;
  • if the firm has outsourced to the cloud, and personal or sensitive data is processed in the course of cloud service provision, where is that data resident?;
  • if the firm transfers personal data outside the UK, under what permitted rules are personal data transferred or received?;
  • who is the firm’s lead data protection supervisory authority?; and
  • has the firm run any cyber and/or data breach scenario planning exercises, or “lessons learnt” exercises in this context?
What should firms that rely on advanced technologies (such as AI and machine learning) be thinking about from an operational resilience perspective?

The regulatory situation for firms in this area is complex and challenging, because it covers, or could cover, a range of matters including SYSC governance and accountability controls, outsourcing to the cloud, cybersecurity, GDPR, conduct, fairness and even ethics and ethical standards. We anticipate that over the coming year regulators will start to focus on concerns around digital and financial exclusion/inclusion, transparency and “explainability” of algorithms, data monopolies and higher impact cyber-attacks.

Firms using or relying on technologies like AI and machine learning (AIML) should make sure they know, exactly, what it is they are developing and deploying, and that named individuals – including at board level – understand and are responsible for the project. From an SMCR perspective, firms should consider allocating responsibility to a specific senior manager for implementation of advanced technology projects, so they can demonstrate clear accountability to the FCA.

Firms should also think about putting in place AIML and data ethics policies and provide suitable staff training, especially for any internal software developers and data scientists, as well as ensuring close monitoring of technological developments, deployments and outcomes, and preparation of appropriate and regular management information reports.

Notifying the FCA about operational resilience failures

When it comes to firms making breach notifications, the FCA has three clear expectations. A firm’s notification should demonstrate: (1) the firm’s consideration of its customers’ interests; (2) that the firm has a plan in place to remedy the breach; and (3) that the firm is taking steps to mitigate any customer detriment.

The tone, content and timing of breach notifications are all critical; firms should be forensic in identifying the breach/error, its causes and the remedial steps the firm is taking. Governance and communication around the notification is also important: for example, board and committee minutes should reflect the status of the breach, and communications with the FCA should be handled by well-informed personnel as opposed to spokespersons. The FCA is not looking to catch firms out: where it sees firms trying to do the right thing, it will try to work with those firms to support the resolution of issues.

Culture and diversity

Regulatory focus on firms’ culture has increased in years, with questions of diversity and inclusion in particular under the spotlight, given recent high-profile events and movements, such as #metoo and BLM, but also issues prompted by Covid-19 around flexible and agile working, and mental health. The FCA has made it clear that diversity and inclusion is a key means by which it evaluates firms’ culture and conduct. In particular, the FCA sees diversity – at all levels – as contributing to new and better approaches to problem solving and decision making. A lack of diversity could be seen as creating a conduct risk.

That said, while emphasising the importance of diversity and inclusion, the FCA has not given firms much guidance as to how it expects them to embed changes, nor does it set diversity and inclusion targets for firms. As a result, it can be difficult for firms to assess whether they are meeting the FCA’s expectations in this area. Firms also need to be mindful of the distinction between targets and quotas, with the latter running the risk of constituting unlawful discrimination in most circumstances.

Turning to enforcement, the FCA has always thought of its fitness and propriety assessments as going beyond just what happens in the workplace. So, the FCA will very much see senior managers’ personal behaviour as being within its supervisory remit. For example, omitting to tell the FCA about a driving offence in some circumstances will raise a fitness and propriety flag, and the FCA has recently issued some high-profile final notices for individuals convicted of sexual offences, banning them from working in the industry.

But the FCA also looks at diversity and inclusion issues in the broadest sense. For instance, it expects a firm to consider the impact of its decisions on all sectors of its customer base, so as not to exclude elderly customers, or those with disabilities or who may not have internet access. It will also expect diversity and inclusion matters to be raised and discussed in committees and other decision-making bodies below board level.

ESG

Recent focus within the industry has been on the EU Disclosure Regulation, which applies from March 2021. It is important though for firms to keep a broader perspective on ESG, in particular from a risk management angle. It is incumbent on all firms to understand the risks related to their products, be they in relation to disclosures and the risks around greenwashing, or to portfolio composition and the ESG risks that could arise within the portfolio. ESG considerations are as much a question of risk management exercise as anything else.

The EU Disclosure Regulation itself will not apply directly to UK firms unless they market funds in the EU or service EU clients. The UK – both via the government and the FCA – has made clear that it intends to match the EU’s ambition on ESG matters, so UK firms can expect a “UK version” of the disclosure regulation – or something similar – in the not-too-distant future. Any new UK rules in this area will first have to go through the usual FCA consultation process, so firms will have an opportunity to give feedback on the proposed rules, as well as time to implement and comply with any requirements that follow.

Those firms that will be subject to the EU disclosure regulation, and those who for reputational or other reasons decide to comply with it on a voluntary basis, will need to give some thought as to whether their funds and other products are “Article 6”, “Article 8” or “Article 9” products. This may not always be straightforward and, in making these determinations – particularly around “Article 8” products, firms will need to distinguish between the promotion of the firm’s house approach to ESG issues and the promotion of any fund- or product-specific ESG characteristics.

Visit our “ESG: a roadmap of incoming EU regulations impacting asset managers” and ESG hubpage for more information.

To request a copy of the recording from these sessions, please contact us.

To view summaries of other sessions in the investment management conference series, follow the links below: