Hedge Fund Operational Due Diligence

Cash transfer controls: getting below the surface

Originally published in the November/December 2012 issue

Effective account opening and cash transfer procedures are the most important and simplest safeguard to prevent the misappropriation of a fund’s assets. In almost every operational risk review, a fund manager will be asked, “What controls exist over cash transfers?” In most instances, the manager will reply: “All transfers require multiple staff to prepare, review and approve transactions prior to cash movement.”

Getting below the surface and investigating in detail the manager’s assertion that a four eyes’ approach is required to approve all transfers can, however, yield a very different result. Controls over cash may vary amongst firms due to size and the nature of securities traded. Investors must be aware, therefore, that practices across the industry may differ as to how new accounts are vetted and authorized (e.g., by the fund’s board vs the fund manager, dual vs single signature, etc.), the manner in which cash may be transferred (electronically, fax instruction, cheque book), the involvement of third parties to authorize cash movements, and how cash transfer procedures can be altered. In our experience, significant divergences can emerge between policy and practice and unintended loopholes may exist to circumvent controls.

Account opening procedures
A number of key staff within a large hedge fund firm are often involved to open a prime brokerage account: legal staff negotiate agreements; IT staff assess technological capabilities and communications to ensure data can be exchanged between systems; operations staff review service levels and ensure transactions can be readily processed and accounting records properly reconciled; compliance staff check legal and regulatory history; and risk staff assess the financial stability and creditworthiness of the institution itself. For the largest managers, these procedures may be conducted under the auspices of a counterparty oversight committee. For smaller managers, many of these procedures may be undertaken by the COO who, in addition to his operations responsibilities, may have ultimate responsibility for IT, legal and compliance matters. It is also not uncommon for firms to use external legal counsel and consultants to assist in these procedures.

In many cases, a fund’s board will review and approve the account opening forms and authorize individuals (or an individual) to sign the forms on behalf of the fund. In other instances, the board may have delegated the responsibility of opening accounts to the manager, in which case the manager’s signature policy will apply.

Where a sole signatory is able to open new accounts, investors must carefully consider mitigating controls such as the dual authorization of changes to the account mandate, dual authorization of cash transfers, low thresholds for single signature transfers to accounts in the name of the fund, administrator involvement in the cash transfer process and daily cash reconciliations by the administrator.

Example 1: A hedge fund manager with $5 billion dollars of assets under management had a dual signatory cash transfer policy in place for all transfers over $3 million. Under that amount, transactions could be made by any one of the firm’s three principals for transfers to accounts in the name of the fund. Further review revealed that these same three individuals could open new accounts on a single signature. In this instance, there was a potential for a failure of controls through the transfer of monies to a new account opened by a sole signatory and from there to a third party account.

A sound cash transfer policy is a preventative measure against fraud; that is, it prevents the unauthorised movement of cash before a transfer can take place and does not rely on counterparties or back office reconciliations to identify unauthorised transfers after the fact. At a minimum, any transfer of cash to a third party should require approval from at least two authorized signatories. A tiered approval process, whereby cash transfers above a certain threshold are approved by additional authorizers, could provide further assurance.

Where a signatory policy allows any form of transfer on a single signature (e.g., between accounts in the name of the fund) it should require dual authorisation of any changes to standard settlement instructions. Furthermore, any changes to the authorised signatory list and to the signatory policy itself should require dual authorisation.

Authorised signatory list
The investor should obtain a copy of the hedge fund manager’s cash transfer policy for review. The policy can then be verified to manager practice through discussion, and sample reviews of account opening documents and wire transfers.

The starting point is to understand the number of staff authorised to transfer cash and what responsibilities they hold at the firm. Segregation of duties, the basis of cash transfer controls, serves as a deterrent to fraud and concealment of error as the individual perpetrating the breach needs to recruit another individual’s cooperation, via collusion, to conceal it. Looked at another way, segregation of duties is vulnerable to collusion. Collusion, however, generally requires a high level of familiarity and trust between the offending parties. Thus, the closer the relationship between authorized signatories on a cash transfer list, the greater the risk of collusion. Staff who are related to one another are an obvious example. Investors need to be watchful for staff who have a familial relationship and bear in mind that related staff may have different surnames.

Next, what support is required for cash transfers and what evidence is there that it was reviewed? Evidence of authorisation will depend on whether cash transfers are typically performed manually (e.g., paper-based, fax) or by electronic means (e.g., banking platforms, proprietary manager systems for cash transfers). Evidence can be a signature on paper instructions or electronic approval of system stored instructions. Although rare, funds may still use a cheque book and signature stamps for cash transfers, requiring another level of questioning regarding the safeguarding of these items when not in use.  It is also encouraging to see checks on cash transfers, such as the use of callbacks, a daily cash movement report distributed to management, or daily cash reconciliations, although the latter are detection, rather than prevention controls.

Policies and procedures
The umbrella term ‘cash transfer controls’ may well incorporate a number of distinct workflows and fund accounts, each of which may have its own nuances and each of which must be understood and assessed for potential weaknesses.

Differing workflows (transfers between accounts in the name of the fund, subscriptions and redemptions, payment of fund expenses, payments for private securities, etc.) may have dissimilar procedures and/or use different systems (as discussed further below), requiring an understanding of each separate process. Certain processes may be performed by the administrator (which often pays fund expenses and redemptions), for example. This can strengthen segregation of duties in the cash transfer process, but necessitates an additional conversation with the administrator to cover the same segregation of duties, authorized signatory policy, etc., questions that were covered with the manager.

Investors should ensure that they have a comprehensive list of all parties holding the fund’s cash (banks, prime and clearing brokers, and custodians) and should understand how the manager’s policy is applied to each account. Custodial restrictions may, for example, allow the transfer of cash only to specified accounts in the name of the fund which can reduce the risk of fraudulent or mistaken transfers.

Verification: policy vs. practice
Practice should be consistent with firm policy. Account opening documents and authorised signatory lists with a sample of banks, prime/clearing brokers and custodians should be reviewed to verify what has been understood during discussions with the hedge fund manager. Are the requirements communicated in line with the manager’s policy? Does the list of authorised signatories mirror that which is outlined in the policy? Often, practice does not match policy; account opening documents may note that a sole signatory can move cash or staff on signatory lists may have left the firm. The signatory policy and authorised signatory lists should be kept current and redistributed by a designated member of senior management upon changes in staffing. The investor may also wish to confirm cash transfer procedures with the administrator as it is often involved in the cash transfer process.

Example 2: A hedge fund manager presented us with an internal cash transfer policy which had a standard dual signature requirement. Yet, when reviewing the original account opening documents with the fund’s main custodian, it was very clear that only a single signature was required to move cash or to change signatories. It is essential to tie the manager’s policy to the actual instructions in place.

Most hedge fund managers transfer cash by electronic means. This requires the manager’s policy to be adapted in practice to every institution, each of which has proprietary systems and processes for setting up users and making changes to authorised activities. Investors need to understand who is authorised to add new staff or alter permissions on each electronic platform as this can occur in many ways; online access changes may be implemented on instruction by one named administrator at the manager, effectively circumventing the firm’s dual signatory policy. Requiring two staff (or a callback to a different staff member) to approve changes in these processes is essential to ensure that the required level of control is in place.

Even if procedures over platform permissions are sufficient, electronic payment applications can present additional complications. There can be instances, for example, where the persons authorised to approve cash transfers electronically are different than those on the manager’s authorised signatory list.

Example 3: A hedge fund manager’s cash transfer policy stated that any two signatures of the five senior operations personnel listed were required to move cash. Yet, upon further questioning, it became apparent that the online banking platform which was used for 90% of all transfers required only one signature from this list alongside that of another more junior staff member. In essence, a dual signatory policy was in place, although not quite in the same form as that presented to investors.

Electronic systems may also be difficult to tailor to a threshold-based policy (e.g., certain staff can sign for amounts less than $1 million) creating a further potential for divergence between policy and practice.

Although most electronic platforms have experienced good levels of ‘uptime’ to date, manager staff must also be aware of the cash transfer procedures to be followed if electronic platforms are not available.

Account opening and cash transfer policies and procedures are critical to protect fund assets. As cash transfer controls are only as strong as their weakest link, this is one area of operational risk where getting below the surface and spending the time to really understand what is happening in practice is clearly warranted.

Ticking the box after a cursory review of the firm’s signatory policy could leave a significant area of risk unchecked.

Amber Partners is an independent operational risk certification firm to the hedge fund industry and an expert in the field of operational due diligence. It conducts comprehensive ODD, awarding certification to hedge funds that meet an industry benchmark of operational quality. Amber Partners certified funds are industry leaders, have a commitment to operational best practice, and have responded to investor requirements for greater operational transparency.

• Assets under certification (AUC) of approximately $83.5 billion.
• Certification is announced annually to approximately 3,000 registered users of Amber’s website, including pension funds, endowments, consultants, family offices, banks and funds of hedge funds.
• Independent annual “kick the tires” review is conducted by professionals with a combined 80 years of direct experience in hedge fund ODD, operations, operational risk management and fund administration.