French regulator AMF criticizes internal control outsourcing processes among asset managers
Trading platform providers, technology vendors, market integration companies and liquidity providers are under the microscope as French regulatory authority AMF looks at outsourcing in capital markets
As part of its SPOT thematic inspections, the AMF examined how seven asset management companies (“AMCs”) outsourced internal control to three firms. The inspections were aimed at encouraging good practice in the selection and monitoring of service providers, and in the periodic review of the quality of their work.
the AMF says that outsourcing of internal control is a model that is particularly widespread in France among small AMCs. Internal control plays a key role in management, which is why the AMF has made this issue one of its supervision priorities for 2020. It therefore examined the practices of seven separate entities. The practices that it observed have been published in a review today.
The verifications mainly covered the period 2017-2020 and examined the internal control organisation of the AMCs(selection of the service provider, resources allocated, scope of outsourcing, governance, etc.), the procedures and methodology for conducting controls and the control plan;
practical implementation of the control process, reporting to senior management and the AMF, the system for evaluation and monitoring of the service provider by the AMC.
The outsourcing of internal control encompasses different scopes from one AMC to another. In all but two cases, the allocation of human resources corresponds to or exceeds what is provided for in the programme of operations. However, the AMF noted that the distinction between permanent control (second-level control of the correct performance of first-level controls by operational teams) and periodic control (audit or third-level control) is clear neither for the entities in the sample nor for service providers.
In most cases, periodic control does not concern the control work carried out in the framework of second-level controls and is reduced to no more than occasional permanent control. For example, the AMF highlighted the poor practice of not allocating strictly separate human resources to permanent control and periodic control in a given firm in charge of outsourcing.
With regard to the conduct of controls, the AMF noted that five entities did not have sufficiently precise and operational procedures. Although they all had compliance and annual internal control plans drawn up by or with the assistance of the service provider on the basis of reporting data or internal control plan for financial year n-1, only two of them had formalised priorities based on their assessment of the non-compliance risk assessment, which is good practice.
In order to assess concretely the implementation of these internal control outsourcing systems, the AMF conducted its inspections of each AMC in three of the four issues below: investment and valuation processes, the anti-money laundering and combating the financing of terrorist, compliance with the Markets in Financial Instruments Directive framework (MiFID II) for discretionary management activities, and cybersecurity.
The inspections showed that the procedures related to these themes are not always sufficiently precise or operational, sometimes omitting the necessary due diligence or the updating of regulatory references. Overall, the AMF observed that major check points were not implemented.
The structure of reporting to senior management varies from one AMC to another. In three cases, the reports appeared to be incomplete. Some of the good practices observed were the inclusion in the internal control reports to senior management of a summary table of the risks identified during the controls performed over the period and a section dedicated to the follow-up of recommendations. Conversely, for the entire sample, the AMF highlighted the failure to mention the anomalies identified by the internal control function in the annual fact sheets and annual inspection reports sent to the AMF.
Lastly, the AMF noted that in three cases the service provider was not monitored and in the other cases, the due diligence carried out was not always sufficient. In this respect, filling out an annual form on an ongoing basis in order to formalise the monitoring of the internal control service provider was one of the good practices observed.
Overall, this series of inspections revealed an excessively disparate level of effectiveness of the internal control systems that use the services of service providers. In some cases, these systems are insufficient, both in terms of the depth of the analyses and the traceability of the due diligence performed. All AMCs that wish to outsource their internal control must pay special attention to the choice and monitoring of the service provider. To improve practices, the AMF will therefore clarify its policy.