As Operational Risks Evolve, Investors Must Scrutinise Service Providers

bfinance insight from:

Pension regulators around the globe are sending clear messages that investors must strengthen their operational frameworks and that trustees can be held accountable if they do not. Cyber security has received particular attention, thanks to recent high-profile incidents. Yet investors’ operational risks extend well beyond ‘cyber’ – and beyond the borders of their own organisations. Investors are also linked to a web of service providers, including external asset managers, who may lack robust operational control frameworks of their own.

There is no doubt that operational risk is a topic du jour for pension regulators, due in part to well publicised cyber security breaches. The Australian Prudential Regulation Authority (APRA) has called on super funds to step up their game, determining that last year’s hack of NGS Super was linked to “significant deficiencies in cyber controls.” On the other side of the world, the UK Pensions Regulator (TPR) has issued stern instructions to pension funds following a cyber security incident at Capita – service provider to numerous UK schemes. In the Netherlands, central bank and regulator De Nederlandsche Bank (DNB) highlighted the Dutch pension sector’s “insufficient improvement” in cyber resilience late last year.

While cyber crime draws headlines as an obvious area where the dangers have evolved, investors must also consider new regulations, developments in trading and transaction processes, increasingly complex valuation methodologies and ESG assertions that may be called into question, to name just a few. The operational risk ‘basics’ still need rigorous care and attention. Even where the financial cost may be moderate for an investor client, the reputational price can be more severe.

External asset managers in focus

Both investors and the service providers they appoint are continually incurring operational risk. And, while investment risks should (theoretically) be compensated for in the form of higher returns, operational risks are wholly unrewarded.

Relationships between asset managers and their clients are inherently based on trust. Investors are often left in the dark as to what actually goes on behind closed doors.

Relationships between asset managers and their clients are inherently based on trust: investors are often left in the dark as to what actually goes on behind closed doors. Indeed, depending on the asset manager, they may provide less transparency on aspects of their operational framework than on their investments. Getting a sufficiently accurate picture involves carrying out targeted questionnaires, reviewing policies, checking internal control reports, examining financial statements, understanding procedures, questioning relevant teams, and even engaging with management to implement improvements.

Moreover, the uncomfortable truth is that there is no perfect control framework for an asset manager. Even in the best-case scenario, operational due diligence does still involve accepting an element of ‘known unknowns’ and, where relevant, ensuring that the investor does not bear the brunt of prospective damage (through, for example, negotiated provisions within the Investment Management Agreement).

ODD challenges are changing

Today, three notable trends are making operational due diligence of external asset managers increasingly challenging for the typical institutional investor. The first, of course, is the much-discussed and evolving cyber threat, which is testing all players in the investment industry. The second is the rise of ESG, which is creating new risks around the claims and labels that asset managers apply to their strategies and businesses: the SEC in the US has already showcased its willingness to clamp down, with the USD $4 million fine for GSAM representing a particularly high-profile example. The third, and perhaps the most interesting day-to-day challenge for those involved in ‘ODD,’ is the long-term shift in favour of ‘non-traditional’ investments with greater use of alternative or even emerging investment managers.

Higher exposure to alternative asset classes, and particularly private markets, can open investors up to greater operational risks. At the risk of over-generalising, we do still observe that private market managers—despite considerable institutionalisation through recent years—tend to have less well-defined control frameworks, weaker policies and less investor-friendly procedures, on average, than their more traditional public market-focused counterparts (though shortcomings are found among the latter also, of course).

Investors should be careful not to assume that their asset manager has appropriate control functions in areas such as valuations, cash wires and fee calculations.

Investors should be careful not to assume that their asset manager has appropriate control functions in areas such as valuations, cash wires and fee calculations. This is particularly true in private markets: although many asset managers do have well-defined operating environments, we see plenty of exceptions. For example, a recent ODD exercise revealed a manager whose inadequate processes had opened them up to a phishing attack: cyber criminals had been able to wire money from one of the firm’s funds. Appropriate questions to identify vulnerabilities would include: what processes has a manager implemented to mitigate the risk of internal fraud with respect to cash movements from the fund? Has the firm adopted technology to segregate cash wire authorisation rights? Manual processes—still used by some asset managers—are both prone to failure and more easily compromised.

Private market managers have also historically been subject to a lower level of regulatory oversight. This is changing, however. Regulators around the globe are increasing their focus on managers operating in private markets, in terms of both regulatory frameworks and visible enforcement priorities. In the US, the SEC announced a new set of rules specifically focused on private fund advisors in 2023, representing a step-change in private market manager regulation. In the UK, the FCA is carrying out a review of private market valuations. Several private markets managers have recently received fines due to poorly designed compliance programmes and/or practice deemed unfriendly to investors, including OEP Capital Advisors (USD $4 million for the misuse of non-public information in its private equity business) and Lone Star with its affiliate Hudson Advisors (USD $11.2 million for disclosure failings in relation to fees charged).

Certain regions have been more active in driving stronger practices than others. The European Union’s Alternative Investment Fund Managers Directive has normalised the practice of appointing an independent administrator to EU domiciled private markets funds. However, many non-EU-domiciled vehicles, it should be noted, continue to be internally administered.

Towards operational best practice

Regulators’ focus on cyber security is warmly welcomed and deserves praise. Yet cyber risk management does not exist in a vacuum. Operational risks—cyber and beyond, in-house and external—should be considered holistically and given appropriate prioritisation.

Through vigorous ODD, investors can mitigate the risks they incur via their service providers. They can avoid pitfalls and even drive operational improvements among service providers that they wish to appoint: direct engagement with management is, we believe, a cornerstone of good ODD process.

Moreover, with a stronger understanding of current best practice, investors can apply ‘lessons learned’ from ODD to internal operations. Both excellence and errors exhibited by investment managers have relevance in-house.

An edited version of this article was previously published in Investor Daily in Australia (www.investordaily.com.au).