Target audience: CROs, CCOs, COOs, Heads of operational resilience in UK investment management firms
At a glance:
- Since the UK operational resilience policy framework came into force on 31 March 2022, financial services firms entered a three-year transition period (running until March 2025) during which they will have to meaningfully address their biggest operational vulnerabilities. Boards of investment managers (IMs) will need to make strategic decisions about how they will invest to address these.
- Given the IM sector’s significant reliance on third party providers (TPPs) and the fact that many IMs do not have a direct relationship with their end customers, IMs will also need to work closely with TPPs and distributers to enable the sector to be more resilient. Firms may need to revise their engagement strategy with TPPs and distributers to get the information and cooperation they need.
- Key areas for IMs to focus on early in the transition period include:
- Investing in scenario analysis and readiness so that in the event of a disruption staff will be able to quickly understand what options are available to them and execute them to plan.
- Working with regulated TPPs to ensure that their impact tolerances are aligned to the firm’s and carry out joint testing with TPPs.
- Considering opportunities to diversify the use of TPPs where dependencies are currently concentrated.
- Contributing to industry initiatives to reach an industry-wide understanding of how critical or systemic TPPs can cooperate with IMs on operational resilience.
- Getting better information from distributers about end customers to enable a better assessment of customer harm in the impact of an operational failure.
- Establishing the principles by which clients should be prioritised in the event of an operational disruption, so that this guidance can be used to help vulnerable customers self-identify at the time of the event.
- Embedding the target operating model, including securing the investment needed, to operate within their impact tolerance.
On 31 March 2022, IMs that are captured by the UK operational resilience framework entered a three-year transition period during which they will have to meaningfully address their biggest operational vulnerabilities. Our June 2022 blog: Next steps in building operational resilience in financial services firms sets out how firms across the financial services sector should be making the best use of the transition period. This blog takes a deeper look into some issues which are specific to the investment management sector.
The scope of the framework
Not all IMs are captured by the current UK operational resilience framework. IMs will be captured by the FCA operational resilience regime if they are Enhanced Scope firms under the Senior Managers & Certification Regime. Some asset management groups will have insurance entities within them that will be captured by both the FCA and PRA regimes. IMs that are part of a banking or insurance group may need to comply with the requirements if the group chooses to apply one operational resilience framework across their whole business.
IMs that are currently out of scope should, nevertheless, follow this policy area closely and may choose to implement some parts of the operational resilience framework in order to match investor and customer expectations around resilience.
Sectoral issues around operational resilience
Firms that are captured by the UK framework had a 12-month period to implement the fundamentals of the operational resilience approach and have made notable progress in that time. Broadly speaking, most in-scope IMs caught up with banks and insurers in terms of their preparedness for the 31 March 2022 implementation deadline – by which time they needed to identify their important business services (IBS), set impact tolerances for their disruption, and complete a self-assessment of their current-state resilience.
The next three years will demand more from in-scope IMs, however, as they will need to improve the resilience of their IBSs so as to meet the impact tolerances that they have set. IMs will, like all FS firms, be pushed to do significant work during the transition period to improve the sophistication of their mapping of the systems and processes supporting their IBS, as well as to develop their scenario testing capabilities. We discussed both of these capability areas in our earlier blog.
Thinking specifically about IM firms, the unique features of their business and operating models means that the sector is facing important challenges around use of TPPs and understanding customer harm that will make this task more difficult to do.
Key area of challenge: reliance on third parties
The business model of many IMs is heavily reliant on TPPs for the delivery of their products and services. This can also include counterparties such as administrators, order management systems, transfer agents, custodians, depositaries, and others which can give rise to fourth- and fifth-party relationships. These dependencies make the task of understanding vulnerabilities in the delivery of IBS and addressing them more complicated.
Third-party dependencies creating challenges for operational resilience is a cross-sectoral phenomenon. An executive survey published in our 2022 Regulatory Outlook identified third-party vulnerabilities are the most significant challenge the financial services sector faces in complying with the UK operational resilience framework. IM respondents to that survey, however, registered more concern with the third-party challenge than other types of firm.
In our work with IMs, we have seen that the information required by firms to identify and address vulnerabilities can sometimes be hard to obtain when doing due diligence on TPPs. Non-regulated TPPs often do not fully understand what is being asked of them or are not able to provide the information to IMs in a transferrable format. While this problem is especially challenging for smaller and medium-sized IMs with less individual bargaining power, we have also seen large asset managers struggle to get the right information and understand the resilience of their TPPs. The challenges are often greater for unregulated TPPs than for regulated ones that are subject to the UK operational resilience regime themselves. In the longer term, the UK Government’s proposal to expand the financial services regulatory perimeter to include oversight of critical third parties, including Cloud Service Providers and potentially other technology providers, may clarify expectations for some TPPs.
There are also sector-specific concentration issues in the IM industry, including with portfolio management platforms, broker systems, custodians, and transfer agents. Firms may consider opportunities to diversify the use of TPPs where dependencies are currently concentrated. However, they will need to ensure that multiple third parties do not all use a common fourth party that could be a single point of failure. This analysis will require access to more market intelligence and data than many firms currently have. Where diversification is not possible due to limited available suppliers, firms should instead explore taking additional steps to enhance resilience, such as stronger oversight, a shared understanding of the impact tolerance that the firm has set, and monitoring of the TPP.
Addressing operational vulnerabilities arising from TPP relationships will be a challenge throughout the transition period. IMs should invest in scenario analysis and readiness, so that in the event of disruption boards, management and staff will be able to quickly understand what options are available to them – this would include the development of playbooks for TPP disruption (e.g., ten steps to take if Aladdin goes down) and testing them so the decision-making process around the use of substitute systems and methods is well understood. IMs should also ensure that the impact tolerances of their TPPs (where these are also in-scope firms such as transfer agents and custodians) are aligned to their own and should carry out joint testing and exercises with TPPs. If a joint testing approach is not possible or appropriate, IMs should at least consider role playing or ‘red teaming’ their TPPs.
Firms will also need to consider the materiality of their relationships with third parties to decide what level of assurance is appropriate. Under the framework, firms must have a “sufficient” understanding of a third party’s people, processes, technology, and facilities to allow them to identify vulnerabilities and remedy these as appropriate. For critical TPPs, IMs may need to do an in-depth assessment, whereas a lighter-touch assessment may be sufficient for TPPs that play a less critical role in supporting the firm’s IBS.
While firms have individual responsibility for operational resilience, some of the work could be done by the IM sector collectively, acting through trade associations. Given that third-party services received by IMs are sometimes quite standardised, reaching an industry-wide understanding with some TPPs to provide a common level of information and cooperation will help to progress the sector’s work on resilience. This may include the development of shared assessment mechanisms (including the exploration of pooled audits and pooled testing, where appropriate).
Key area of challenge: understanding customer harm
Many IMs do not have a direct relationship with their end customers (e.g. if distribution is done by third parties). This makes it more difficult to understand and quantify the potential for customer harm in a severe disruption to an IBS. The FCA’s final operational resilience rules emphasise the importance of external impact data in setting impact tolerances, and, in many cases, this means IMs need to gain a better understanding of what kind of customers they have, how many are vulnerable and which customers need to be prioritised in the event of an operational failure. The FCA’s 2021 Product Governance Review noted that sharing of customer information between asset managers and product distributors is currently poorly developed. Getting better information about end customers is becoming increasingly important for IMs for the purposes of operational resilience, as well as a number of other regulatory initiatives such as the Consumer Duty and the prudential regime for investment firms.
While in-scope firms will have already set impact tolerances by March 2022, some will need to do further work during the transition period to understand the vulnerabilities in their customer base so that they can check that their impact tolerances are based on the most relevant metrics indicating potential customer harm. While IMs may not have information on individual customers, they should gather enough information from distributers to assess how customer harm may vary by type of product/service and distribution method, considering each point in the customer journey.
In addition, IMs will need to ensure that in the event of an operational disruption they could prioritise recovery actions in order to minimise harm. They should establish the principles by which clients should be prioritised and work with their distributers to ensure that these protocols can be put into practice. This must also support the ability of vulnerable customers to self-identify during a disruption to normal services. In our 2021 publication Time to Thrive, we set out an example “hierarchy of harm” framework that firms can use to prioritise the transactions and services that most urgently need to be preserved, such as those relating to the wellbeing or the financial security of their customers.
Further information on customers, a better understanding of TPP resilience capabilities, and broader scenario preparedness work will enable IMs to further calibrate their impact tolerances or identify areas of investment to meet their impact tolerances.
Out of scope firms – determining an approach
Those firms that aren’t captured by the UK regulatory framework may wish to undertake a careful assessment of their preparedness if they are likely to be captured in future (for instance, from business growth). Even firms that are not subject to the rules are still expected to be operationally resilient by the market and should expect supervisory scrutiny in the event of an operational failure. Getting better information about their customers would also help them with other regulatory expectations. In some cases, adopting parts of the framework – such as the focus on IBSs and mapping their dependencies – will give IMs a better understanding of how their customers are served and where efforts to mitigate the risks of third party dependencies should be concentrated. Boards of out-of-scope IMs should take a view early on of whether some voluntary investment in this area will be desirable for these reasons, or to strengthen investor and customer perceptions of their resilience.
The regulatory push around operational resilience, in the UK and other jurisdictions, is showing no signs of letting up after the implementation of the initial rules. The ongoing supervisory focus in this space will require IMs to embed operational resilience within their broader risk and control framework and will push IM leadership to make strategic choices around investing in, and maintaining, a more resilient operating model.
Boards and senior leadership of in-scope IM firms should be prepared for the step change in regulatory scrutiny around operational resilience and the expectations of senior management to deliver the right level of oversight and engagement.
The key areas of challenge raised in this blog should serve as a helpful guide for firms to develop a clear plan this year to address operational vulnerabilities and improve their operational resilience over the three-year transition period.
 Where an IBS relies on a service delivered by a TPP, the outsourcing firm will still be expected by supervisors to take responsibility for the overall resilience of the IBS. This means firms will have to understand the resilience of their TPPs, identify any vulnerabilities, and take mitigating actions either in cooperation with the TPP or through developing substitute methods and systems.