The FCA annual report is out and it’s not just Brexit under the microscope. As expected, operational resilience continues to be an area of concern, building on the issues raised in their business plan of 2019/2020 in April. It’s clearly an area they feel deserves more attention. And it’s not just the FCA, other regulators have all raised similar such as European Securities and Markets Authority (ESMA), Luxembourg Commission de Surveillance du Secteur Financier (CSSF); and Central Bank of Ireland (CBI).
Operational resilience is an area of risk that continues to climb the risk league tables and regulators in multiple jurisdictions are taking it seriously. However, customers, investors and investment management firms can incur significant financial losses and reputational damage from disruptions to the outsourcing relationships they have in place. And while it may seem like a less obvious area of concern for some, in comparison to financial crime for example, for institutions on the buy and sell-side, operational resilience is right up there as a priority. Or at least it should be.
Look no further than recent fines levied by the Central Bank of Ireland on the basis of clarity in controls around outsourcing arrangements, which in itself speaks directly to the importance of operational resilience.
These types of risks are a step beyond what we normally think of as pure operational risk, as they highlight the infrastructure interdependencies among financial services participants and third-parties. Fundamentally, firms can outsource certain functions, but they cannot outsource the responsibility.
One area of increasing importance for those across the fund industry is the ability to calculate and publish a backup NAV under any disruption scenario, including a complete service provider outage. This speaks directly to the theme of operational resilience. If this were to arise it would have serious consequences for the firm as an accurate NAV is the basis for the price of a unit or share of the fund in question. This is something that many firms outsource fully or in part to third-party providers. Yet, crucially, the firm retains all regulatory responsibility. Third-party administrators are not responsible entities that carry fiduciary liability and while firms recognise this, few have addressed this need for operational resilience. For those that have, there is a wide variation in approach and effectiveness.
Many firms still rely heavily on spreadsheets and reports from outsourcers in overseeing their NAVs. If this is the case, how can a firm responsible for billions in assets declare they have effective oversight, let alone contingent or backup NAV capabilities, in response to this new regulatory theme of operational resilience?
The truth is they can’t. The bar is being raised when it comes to market practice and firms need to take a holistic approach and consider how best to satisfy both clients and regulators of their operational resilience. Insuring against NAV outages by deploying purpose-built and proven solutions will allow firms to strengthen this key area of operational resilience. If their current models fail at any point, this approach will protect their investors and satisfy the regulators.