The FCA has published the results of its review into how asset management firms selected and used risk modelling and other portfolio management tools, focussing on how these firms are placed to respond to system failures or service interruptions which could cause serious harm to consumers or potentially damage market integrity.
This review builds on the FCA’s continuing work in the operational resilience sphere, including its cross-sector Technology and Cyber Resilience Questionnaire in 2017/8 where the FCA’s surveyed 296 firms to assess their technology and cyber capabilities in key areas such as governance, delivery of change management, management of third party risks and cyber defence effectiveness. Whilst only ten firms were sampled and this latest review was sector-specific, the report is relevant to all firms in the asset management sector and indeed beyond in the wider context of operational resilience, which remains a focus for the FCA.
The FCA sampled ten firms and examined their selection, use, management, oversight and implementation of portfolio management tools, highlighting areas of strength and weakness demonstrated by the firms. The general view was that there are areas of good practice but scope for improvement:
- Approach to use of portfolio tools – Some firms in the sample relied on a single provider for the majority of their resources, whilst others used a range of tools from different providers. Whilst the first option provides benefits such as reduced manual input and lower risk of errors, simplified vendor management and easier implementation, a significant potential drawback identified is concentration risk, and the knock-on resilience implications from heavy reliance on a single provider. By contrast, some firms build their technology in-house which gives flexibility in relation to functionality and maintenance, but brings increasing costs which firms are often looking at ways to reduce which can introduce its own risks.
- Vendor management – Again firms took differing approaches to vendor management, with some having a centralised function with little input from end users or business lines, others having a de-centralised approach with end-users owning the vendor relationship, and the remainder having a hybrid of the two where the vendor management function included service users. Whilst provider-run user groups for clients to share experience are seen as a positive way to influence service change, a common flaw the FCA saw across most firms regardless of the model they used was the failure of periodic reviews to consider the risk categorisation of providers and whether this had changed since service inception, meaning that the most risky service providers were unlikely to be given the necessary oversight.
- Model governance – In terms of reviewing modelling tools which are being developed or used, some firms reviewed them against agreed procedures rather than reviewing each model in detail, with the FCA noting that the effectiveness of such a review depends highly on the quality of the review framework and the size of the sample reviewed. An alternative review process seemingly preferred by the FCA validated both the underlying modelling tools and the framework against which they were reviewed, as this appeared to provide increased assurance.
- Managing change – A common challenge expressed by the firms was the difficulty and complexity involved in changing service provider, with the length of some service provider relationships being “less a positive endorsement of the provider … than a reflection of the difficulty going elsewhere”. To mitigate the risks of service interruptions or data migration issues when changing providers, firms could consider bringing change programme contractors in-house and running detailed testing programmes where time permits, including parallel running of existing and new tools to identify strengths and weaknesses with the new offering.
- Resilience and recovery – The FCA found that firms had generally not given enough consideration to how to manage different lengths of outages, particularly longer outages, with some firms having limited capacity for even relatively short outages. Firms cited the cost of full continuity plans versus the length of the outage as prohibitive to effective resilience planning. The FCA indicate that greater involvement of first line users in the development, review and testing of contingency arrangements could increase the amount of comfort that the plans can provide.
- Testing of software – A common difficulty highlighted by firms in this area was the need to balance quick implementation of upgrades and software patches with effective testing. Whilst engaging with key providers during testing is encouraged, the FCA noted that some firms rely too heavily on provider-led testing without fully understanding the limits of the testing or how the tests matched their requirements. Again, the FCA highlighted provider-run user group forums as a way for firms to improve their understanding of the products and therefore how to effectively test them and mitigate against risks. Firms could also consider phased implementation of non-critical technology changes to mitigate against associated risks.
- Customer expectations – The FCA’s overarching view is that firms did not always describe clearly how they used modelling tools to customers, or when their outputs might be overridden. Some firms suggested that they use modelling tools simply because of an expectation on them from the market to do so, and may therefore not be placing sufficient weight on the outputs or managing assets consistently in line with clients’ expectations. However, client engagement on how best to use these tools in practice has proved challenging for some firms.
The FCA provided feedback to the ten firms in the review on where they could make improvements and reminded firms in the asset management sector that their implementation, oversight and contingency arrangements in respect of modelling tools must enable them to comply with the FCA’s expectations so that the firm can continue to function and meet its regulatory obligations in the event of unforeseen disruption.