Robust investment due diligence procedures are no longer best practice. They’re a regulatory requirement under MiFID II which was due to roll out this month and is still scheduled to come into force in the next few months. With this in mind, it is worth revisiting your own investment due diligence procedures and being aware of what different regulators are looking for.
IMDDA hosted a webinar “What are Today’s Asset Managers Due Diligence Obligations?” with Robin Hodgkins, President of Castina LLC and former CISO John Rizzulo, now President at Rizzulo GRC. They shared their valuable recent experiences of the areas that are of key concern to the regulators right now. Here are some useful nuggets from the full recording:
1. Third party risk is a top priority for regulators
It doesn’t matter which regulator you look at, the SEC, FINRA, New York DFA, they all say their fastest growing concern is third party risk management. And don’t make the mistake of thinking the onus is on the vendor. They all make a point of saying that you cannot delegate your legal and regulatory responsibilities. If a third party has a data breach, it’s your data breach. If a third party presents as high-risk and you don’t act to mitigate that, it’s on you regardless of the benefits of working with them.
2. The third party risk management hit list
Digging deeper into investment due diligence procedures for third party risk management, our experts revealed the areas of greatest concern to regulators. They are, in order of importance:
- Cyber security
- Business continuity planning
- Credit and financial risk
- Operational risk
- Compliance risk
If nothing else, you need to be able to show that you have conducted due diligence in each of these areas for each of your third party relationships and that you have ongoing monitoring and management procedures in place rather than it being a one-time activity at the inception of the relationship.
3. Valuation assessments for research
Another interesting and comparatively new area thrown up by the impending introduction of MiFID II is that the SEC and ESMA both now require valuation assessment for certain types of research. Where payment for these services is rendered in soft dollars (CSAs or RPAs) you need to have a value assessment and inducement management framework that will provide greater transparency on the ROI of these research services.
4. Due diligence evaluation to rest with subject matter experts
Whether at the start of a due diligence investigation, where evaluation of questionnaire responses is required, or during ongoing monitoring of third party relationships, it is essential that the work of assessing the data fall to a subject matter expert, qualified to identify and evaluate changes, anomalies and risks.
Regulators don’t just look to see that the investment due diligence procedure has been followed, they need to see evidence that the person carrying out the work has the knowledge and skills to provide a valid assessment of risk.
5. A risk based approach to workload
You should apply risk ratings to individual relationships and to each aspect of the organization, it’s structure, governance and the services it provides. You must be able to demonstrate that you use this system to prioritize your workload, allowing you to review higher risk items ahead of lower risk ones rather than running to a standard calendar of due diligence reviews.
For example, onsite compliance visits should be prioritized for those third parties who have a high-risk score against them after the due diligence questionnaire responses have been analyzed. And for those mission critical firms, whose relationships are fundamental to the operations of your own organization.
Want more insights into how the regulators are currently thinking and acting when conducting examinations and reviews? The IMDDA webinar “What are Today’s Asset Managers Due Diligence Obligations?” reveals the full story. Listen to the recording here: