Regulatory circular 18/698 affects many fund industry back office functions and thus IT is impacted.
The note underlines best practice around anti-money laundering and governance, and requires investment fund managers (IFM) to follow this and provide proof they have done so. Thus, key IT functions need to be compliant and outsourcing relationships must also be tested and secure.
The European Banking Authority is conducting on-going audits of member states’ anti-money laundering and counter terrorism financing rules and enforcement procedures. They will be in Luxembourg this year. Then in 2020 the OECD’s Financial Action Task Force will be back for their once-a-decade check of these rules. Circular 18/698 is part of the Grand Duchy’s response to show that the fund industry is compliant.
“The emphasis is on IFM’s ability to demonstrate that they are taking their responsibilities”, Marc Marly, Head of Regulatory and Compliance at Alpha FMC, aglobal consultancy to the asset and wealth management industry,“Much of 18/698 is not new and many procedures should already be in place, but there is need for proper management information and oversight to demonstrate their adherence to the circular. Both internal and external IT providers need to be challenged and tested,” he added.
Rules surrounding IT were mentioned and have been updated. The previous (and now repealed) circular 12/546 required IFMs to have suitable technical and IT infrastructure, including safeguards for the security, integrity and confidentiality of data. This included having adequate hardware and software in-house, as well as comprehensive back-up solutions.
With the introduction of 18/698, IFMs are now required to follow rules in the “cloud circular” 17/654, which previously only applied to certain financial institutions. 18/698 defines the role and function of the “cloud officer” and outlines when cloud-related rules are relevant.
ManCos that delegate to an IT company must ensure that proper governance is in place and that confidentiality, integrity, and data accessibility rules are followed,” Mr. Marly explained. This includes, as well checks on relationships with outsourcing providers. “You need a clear contract between the ManCo and the IT provider, with a service level agreement covering each delegated service, KPIs and evidence of fit for purpose processes,” he added.
On-going due diligence
There is also a new requirement that obligates the IFM to have procedures in place to identify and manage IT risks. These risks relate to data confidentiality, business continuity, IT system resilience, IT fraud, cyber attacks and more. The new text also highlights how IT governance principles should be central to the IFM’s working practices, with the IT function integrated as part of the second line of defence in the “three lines of defence model.” The circular also references GDPR and how personal data is controlled. A breach, regardless of size, should be documented and remediation solutions should be explained.
There must be continuous dialogue with providers to create an always-on culture of due diligence. “IFM’s need to talk to IT providers every month about any issues, and they need to provide documented proof that they have dealt with these, because the CSSF can ask for it”, Mr. Marly said.
Yet, although these questions involve IT, they need to be addressed via a company-wide response. This can even go as far as requiring modification of certain strategic considerations. In the end, this circular will give decision-makers greater visibility on risks and enhance protection for investment funds and their investors.