Delegation has gained increasing importance in the financial industry over the last decade, not least within the investment funds universe. The regulatory framework has evolved along with regulators’ expectations to make the accompanying requirements increasingly demanding. The ESMA opinion, published in July 2017, has confirmed, among other things, the (new) standard regarding delegation and oversight as seen by the independent European authority. It’s with this same objective in mind that the CSSF published its circular 18/698 in late August, precisely defining the oversight and delegation framework for Luxembourg. Beyond this, the circular covers governance, risk management and asset-money-laundering. This article puts the spotlight on delegation and oversight.
There are several aspects to the delegation process. It covers not only the due diligence work to be done and how it has to be done, but the whole spectrum of oversight. How, for instance, to organise the oversight? How to select delegates? How to be consistent over time? From there, how do you monitor the delegate? Such monitoring is not only about performing the annual check through a questionnaire, but also about continually monitoring several aspects, not least operational issues, trading checks and sensible policies such as best execution. In other words, the fundamental priority is to define the policies and procedures for selecting and monitoring the delegate. The second part of the process deals with the due diligence aspects; the formal checks of the PPSS as we call them, People, Process, Structure and Systems. This involves identifying the potential sources of risk through a system of enquiry that should include onsite visits. This in turn leads to continuous monitoring, defining performance and risk indicators and building reports to monitor them.
There are several elements to these new standards regarding delegation and oversight. The perspective we take is based on a mix between the regulator’s expectations and market practices. Our objective is not to be exhaustive but to outline the general trends and most important factors. We start with the most common elements that are not, generally speaking, defined by the type of delegates involved. By contrast our last section focuses on specific requirements regarding portfolio management delegation.
As delegation has become a point of ever greater importance over the last decade, regulatory expectations regarding oversight of delegation have also evolved.
All authorised entities should draw up policies and procedures to select and monitor delegates, and these procedures should cover every aspect of the delegation. This means that specific policies and procedures must be written, adopted, and applied in practice. These procedures for selecting delegates can be similar in their structure and model but the factors or objective reasons behind the decision process will typically be differentiated and should always have the best interests of investors in mind. Objective reasoning is the first real basis for evaluation. One cannot simply justify the choice of a delegate by saying that it is part of the same group of companies, but by identifying objective reasons that should be favourable to the investor. The final aim of these policies and procedures is to be able to prove objectively that a delegate has been chosen for good reasons, that there is a process around delegation and that, if needed, there is a formalised process in place to potentially replace the delegate. In addition, such policies and procedures should be backed up by being formally documented and updated regularly.
Another key element of policies and procedures is that arrangements between the parties should take the form of written contractual documents, which precisely detail the individual tasks and activities that are delegated, to ensure that authorised entities have the right to inquire, inspect, have access or give instructions to their delegates. This means that the delegating entity should play, or at least have all the tools to play, an active role.
This framework should not only be created to kick the process off, but it should define the delegation process throughout. This delegation and oversight should be organised and run over a multi-year period and should most probably be based on a risk-based approach. This means that, on the one hand, you can potentially lighten aspects of the process for best-in-class delegates based in certain jurisdictions, but that on the other a more regular and almost certainly more granular process has to be run for higher-risk ones.
Due diligence can be defined as the process of carrying out quantitative and qualitative analysis on a delegate. Historically, it has been performed by institutional investors prior to investing in a third-party asset manager. During the due diligence process, every aspect of the fund or investment strategy under review, and the fund management company, were analysed in detail. Due diligence also typically involved one or several meetings with the management team. Nowadays, the due diligence process around delegation is not limited to delegated asset managers but concerns any delegation including, but not limited to: portfolio management; risk management; compliance; internal audit; and central administration. It can also extend to complaints management or the accounting function if they are delegated.
The objective of the due diligence process is to analyse in detail a company as it performs a task, activity or function on behalf of another and to identify any potential source of risk. Once the strengths and potential weaknesses are identified, an assessment can be made and the governing body of the delegating entity can decide, on the basis of a formalised and documented process, if it is still happy to delegate the specific function to the corresponding delegate.
To perform this duty, the person or team in charge of the oversight should first and foremost build a due diligence questionnaire that contains details on the delegate but more importantly that covers every aspect of the task to be delegated. This could include the controls associates, the process, policies, persons involved, control and governance framework. While some aspects may be common to all delegates, for each type of delegate a significant part of the due diligence questionnaire must be specific to the delegated task. To take an example, for portfolio management delegation, the investment process, risk management, compliance or trading will be key while for the delegation of risk management functions, the risk management framework and the reports produced will be of special focus.
Again, the process must be formally documented and should remain consistent over time. This process should also be more than just a tick-the-box exercise. The objective should be to build and run a process that enables the delegating entity to have a complete view of what is happening on the delegate side and to identify the potential risks and to formalise them in a due diligence report. In this context, it is important to emphasise that the communication flow should not be limited to a one-way discussion with the delegating entity asking questions to a delegate that gives its answer. Delegating entities should typically, constructively challenge the delegate on aspects that are unclear or appear risky. In addition, onsite visits, that aim to clarify aspects and check reports and policies must also become standard. Following the same logic mentioned in the policies and procedures section, the due diligence process should be run and updated continuously with annual updates being the standard.
The policies and procedures aim to build a delegation framework, while the due diligence process formalises a detailed check on the delegate, its people, processes (and policies), structure and systems. This process is designed to answer the question: how do we select and monitor our delegates? A formal check on the capacity of the delegate is performed through the due diligence process. This process is designed to answer the question: is my preferred delegate able (or still able if ongoing) to perform its duties in line with my objectives, the level of risk I want to take, current regulation and market standards and is all this in the interest of the final investors? The third aspect of delegation to be performed is the ongoing monitoring. You may wonder what the difference is between the due diligence process and the ongoing monitoring? In practical terms, the due diligence is the formal documented check on every aspect of the delegated function as explained in the previous section. Ongoing monitoring is about how the delegate is performing, checking on any issues or challenges faced either on the operational side, regarding trading or controls. This monitoring provides the check for where we stand relative to performance or risk objectives and the construction of reports around them. Other points of focus include the adequate balance between the work of the delegate, the objective of the delegation and the risk involved or, for example, the reporting and analysis of operational challenges or errors. This process is more frequent and, even if not performed continuously, it should be performed very frequently.
While we have focused on delegation and oversight so far, this section identifies some of the elements that are key regarding the delegation of the portfolio management function. The elements mentioned in this section are on top of what has been explained before. Some of the requirements listed in the new CSSF circular include the fact that portfolio management activities can only be delegated to authorised or registered companies with the right agreement to manage portfolios that are regulated and that are under prudential supervision. No mandate can be given to the custodian bank – it lists a series of conditions that have to be respected and some specific aspects that should be put in place in the contract. There are also specific elements to be checked during the due diligence process and others during the continuous monitoring one. Some of the elements to be reviewed specifically during the due diligence include: the review of the investment process; the verification and consideration of the track record; the consideration of size; capabilities and experience of the team; and the review of some specific policies like the best execution policy or the personal transaction policy. The continuous framework should include, for example, control mechanisms on the respect of the objectives, investment strategy and/or risk limits, checks on the number and nature of trade incidents or the check on the number and nature of operational errors and the implementation of corresponding corrective measures.
A particularly hot topic is delegation within a corporate group. This topic has been discussed extensively within the ESMA opinion. There is nothing here to suggest that white-label or in-house delegation processes should be any different. To prevent readers from inferring this, the regulator even mentions rules specific to entities that are part of a corporate group on multiple occasions. These include the fact that conflict of interest policies and procedures should, where relevant, reflect the fact that potential conflicts are specified in the policies and procedures. In addition, but independently of that, the governing/management body of the authorised entity should have the ultimate decision-making power over the business conduct of the authorised entity even where the entity is part of a corporate group.
There are two more potentially sensitive elements, the first being that where authorised entities intend to delegate functions to entities within the same corporate group, due diligence should be carried out by the authorised entity and the selection of a group entity should be based on objective reasoning. Secondly, no reporting lines to group functions or other individuals within the group should contradict the independence principle or impair the independence of internal control functions.
The Luxembourg circular states straightforwardly that the delegation control arrangements have to be performed by the delegating entity if one or more functions are delegated and that the same rules apply when an activity is delegated to entities belonging to the same group. Internal resources from the group can be used to some extent, for example regarding monitoring, but the role of the delegating entity should remain key in the process and the delegate should be controlled in a similar way based on the same principles.
As delegation has become a point of ever greater importance over the last decade, regulatory expectations regarding oversight of delegation have also evolved. This was formalised last summer in an ESMA opinion and more recently in Luxembourg through a dedicated section to delegation and oversight in the newly published CSSF 18/698 circular. These publications set the standards expected by the regulator and confirm how such activity should be organised and structured. Delegate oversight is no longer about sending a due diligence questionnaire to a delegate once a year. This new era for delegation and oversight is built around three angles: policies and procedures, due diligence and continuous monitoring, all of which should be written, formalised and documented. While this clarification can be seen by some as a challenge, it has the advantage of clarifying expectations and limiting ambiguity.