On January 13, the UK Financial Conduct Authority (FCA) released the findings of their multi-firm review of how asset management firms select, use and oversee the tools and models they use to manage portfolios (the Review).
The Review is a follow-up to, among other things, the Technology and Cyber Resilience Questionnaire, the results of which were published in November 2018 and are available here. The FCA’s concerns about operational resilience were exemplified in the TSB IT failure in April 2018, in which 1.9 million customers were unable to access their online accounts for up to a week. Operational resilience is a key cross-sector priority for the FCA, as set out in the 2019/20 Business Plan.
In the Review, the FCA visited ten firms in the asset management sector and met with senior executives from the first and second lines of defense to see how they selected and used risk modelling and other portfolio management tools. They observed three general approaches:
- firms using an “integrated package” from a single provider
- firms using “a suite of tools from different providers,” and
- firms who build their technology in-house.
Firms who use a single provider observed that, while this approach tended to be less complex and more reliable due to consistent data handling, the potential drawbacks included concentration risk and resilience implications. Firms also felt that once they had chosen a single provider it would be very difficult to move to other providers.
By comparison, firms who developed their tools in-house found that it gave them greater flexibility and capacity to be distinctive but also that it was more expensive. Firms with in-house tools actively considered licensing their software to competitors.
The FCA also asked about different approaches to vendor management, model governance, change management, software testing, resilience and recovery, and customer expectations. In particular, with regard to resilience and recovery, the FCA observed that firms had “not given enough consideration” to how they would manage outages, especially if the outage were to last a long time or happen frequently.
The FCA expects other asset management firms to look at their operational resilience arrangements to ensure that they can comply with the Handbook and meet their regulatory obligations.
The findings are available here.