AFM Exploration of ESG Data Risk Management by Asset Managers

TOEZICHT RAPPORT OCTOBER 2024

In brief Asset managers frequently use ESG data. To prevent incorrect information provision and wrong decisions regarding corporate objectives and risk exposure, it is important that they ensure the reliability and independence of this data. Thanks to an exploration, the AFM has gained insight into how ESG data is handled and how it is verified whether the data is correct and complete. This report shares a number of observations from the AFM that can help asset managers in setting up processes, systems, and internal controls for risk management regarding the use of ESG data.

Contents

1. Introduction 2
2. Observations 4
3. Challenges 7
4. Next Steps 8 Appendix 1: Research Design 9 Appendix 2: Identified (ESG) Data Risks with Description 10

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

1. Introduction

1. The way in which managers of investment undertakings and UCITS, and investment firms, give shape to the applicable provisions of Article 4:14 of the Financial Supervision Act (Wft) regarding orderly and prudent business conduct is an essential part of supervision.
2. Directive 2010/43/EU (UCITS Implementing Directive) and Delegated Regulation (EU) No 231/2013 (Delegated AIFMD Regulation).
3. Delegated Regulation (EU) 2017/565 (Delegated MiFID II Regulation).
4. See Article 2, point 17 of the Regulation on sustainability-related disclosures in the financial services sector (SFDR) EU (2019/2088), where the 'do no significant harm' principle is used in the definition of sustainable investment.
5. See research design in Appendix 1.

Asset managers frequently use ESG data. They indicate that the availability, reliability, and comparability of this data pose a challenge. How do asset managers deal with this, and how do they ensure that the data used is correct and complete? The AFM conducted an exploration. This report presents the key observations, which can help asset managers in setting up processes, systems, and internal controls for risk management regarding the use of ESG data.

Supervision on compliance with rules for orderly and prudent business conduct

The Dutch Authority for the Financial Markets (AFM) supervises compliance with the rules for orderly and prudent business conduct that apply to investment firms and managers of investment undertakings and UCITS (hereinafter: asset managers).¹ This also includes supervision on compliance with European legislation.

As a result of changes to the UCITS Implementing Directive and the Delegated AIFMD Regulation², managers must ensure that sustainability risks are integrated into risk management processes and taken into account in investment policy. Requirements have also been set for investment firms regarding the integration of sustainability risks. These requirements are laid down in the Delegated MiFID II Regulation³.

To fulfill these requirements, asset managers need Environmental, Social, and Governance (ESG) data for – among other things – the identification and management of relevant sustainability risks, measuring the adverse impacts of investment decisions, and determining criteria regarding the 'do no significant harm' principle.⁴

Availability, reliability, and comparability of ESG data is a challenge

Asset managers can obtain the necessary data directly from the issuing institution, apply or develop methods themselves to calculate ESG data, or purchase it from external data providers. Nevertheless, asset managers indicate that the availability, reliability, and comparability of ESG data is a challenge. As a result, the data needs of asset managers cannot be fully met in the short term.

Observations help asset managers in setting up processes, systems, and internal controls for risk management

Ensuring safeguards regarding the reliability and independence of ESG data is an important prerequisite for adequate management and integration of sustainability risks into business operations and investment policy. The AFM therefore conducted an exploration into the management of risks surrounding the use of ESG data among 6 asset managers⁵. Additionally, the AFM received explanations from another 4 asset managers and the industry organizations DUFAS and VV&A during a roundtable discussion on this topic. The AFM has thereby gained insight into how ESG data is handled and how it is currently verified whether the data is correct and complete. The AFM shares these observations with the market because they can help asset managers in setting up processes, systems, and internal controls for risk management regarding ESG data.

Key Observations

Based on the conducted exploration, the AFM arrives at 4 observations regarding specific themes in the field of (ESG) data risk management.

1. Asset managers have set up the governance structure regarding the management of ESG data risks in various ways.
2. Many asset managers use (one or more) external data providers for the largest part of their ESG data needs.
3. Using a clear definition of data risk helps asset managers in identifying and managing this risk.
4. Asset managers have both proactive and reactive policies and control processes to ensure the quality of ESG data.

The following chapter describes the observations in more detail. The subsequent chapter presents the challenges asset managers face when collecting and processing ESG data.

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

2. Observations

This chapter contains the key observations that can help asset managers in setting up efficient risk management regarding the use of ESG data.

Observation 1. Different setup of data governance structure

Asset managers have set up the governance structure regarding (ESG) data and (ESG) data risks in various ways.

Of the 10 asset managers who participated in one or more phases of the exploration, 4 asset managers have set up a data management structure.

• They have formalized responsibilities regarding the use and control of data within the governance structure by assigning the roles of data owner and data steward.
• Some asset managers distinguish between ESG data and non-ESG data, while others use the same structure for all types of data.
• One of these asset managers has drawn up a separate data risk management policy and established a data governance committee.

At the time of the exploration, 6 asset managers had not yet specifically set up or documented responsibilities regarding (ESG) data. Two of these asset managers refer to their Three-Lines-of-Defense setup in general terms, and two asset managers state that they are assessing whether to set up a specific structure for (ESG) data.

Asset managers set up the governance structure regarding (ESG) data at their own discretion, either via a specific data management structure or embedded in their general Three-Lines-of-Defense setup. The AFM expects asset managers to incorporate responsibilities regarding (ESG) data and (ESG) data risks in the governance structure in a manner appropriate and effective for the institution.

Observation 2. ESG data mainly via external providers

Many asset managers use (one or more) external data providers for the largest part of their ESG data needs.

The exploration has shown that asset managers make extensive use of external providers to obtain ESG data. Larger parties often use multiple external providers to meet their ESG data needs. This is done, among other things, due to specialized data needs per investment theme (where providers' data offerings do not cover the entire spectrum) and to be able to compare data, thereby achieving a minimal error margin in the datasets. For smaller parties, this is often too expensive.

The AFM has also observed that asset managers collect or compile data to varying degrees themselves, for example by requesting it directly from the issuing institution or calculating it themselves based on internal methods. This 'internal data' varies from 10% to 100% of the total ESG data used by the respective asset managers.

Choice for external providers

Important reasons why asset managers purchase ESG data from external providers are:

• External providers collect ESG data from companies and countries on a large scale, making it more cost-efficient for some asset managers to purchase this data rather than building it internally.
• External providers have specialized knowledge and expertise in complex ESG topics, such as climate risk models.
• External providers possess ESG data that is difficult or not available in any other way, for example, analyses of satellite images.

Choice for internal development

In some cases, asset managers consciously choose to build ESG data and/or ESG data products internally. The main reasons for this are:

• High-quality, suitable, or reasonably priced data is not always available via external data providers. This applies especially to data on private markets, low-income countries, and smaller enterprises.
• Internal data aligns better with the own risk model for identifying and weighting ESG risks.
• The alignment of internal data may also be better with the method(s) for translating ESG data into an ESG outcome for a specific activity, investment, or portfolio if those method(s) were developed by the asset manager themselves.

Asset managers have their own valid reasons for choosing to externally purchase or internally build the ESG data needed for their business processes and risk management. Whichever variant asset managers choose, the AFM expects them to set up appropriate controls regarding ESG data flows to ensure the correctness and completeness of the data.

Observation 3. Definition of data risk helps in risk identification and risk management

Using a clear definition of data risk helps asset managers in identifying and managing this risk.

Definition of data risk

The exploration has shown that 4 asset managers use a fixed definition of data (management) risk within the organization. For 3 asset managers, the concretization of the various identified data risks is also worked out in internal documentation (such as the risk management framework and risk appetite statement). One asset manager also indicated that the size of their organization does not necessitate rolling out such a definition across the entire organization, but that it proves useful in practice.

Risk identification

Starting from their own data risk definition, the involved asset managers have identified various risks surrounding the use of (ESG) data. These vary in theme from operational risk to data quality risk to continuity risk. An overview of these is included in Appendix 2.

Risk management process

The exploration has shown that 2 asset managers have specifically set up processes and controls for ESG data to assess and manage the identified risks surrounding the use of this data. The other parties have not specifically set up a process for ESG data to mitigate the identified risks.

Instead, these risks are taken into account in generic risk management activities and control processes. This can be explained by the fact that not every asset manager distinguishes between ESG data and other data.

Because risks surrounding the use of (ESG) data can be defined in various ways and levels, it is advisable to speak the same language within an organization about what this means and entails. A clear definition of data risk helps with this.

Asset managers set up the management processes regarding (ESG) data risks at their own discretion, either via a separate structure or embedded in existing risk management frameworks. Whichever variant an asset manager chooses, the AFM expects (ESG) data risks to be on the radar within the organization and to be managed effectively.

Observation 4. Both proactive and reactive policies and control processes support data quality

All asset managers have both proactive and reactive policies and control processes to ensure the quality of ESG data.

Proactive data quality policy and control process

All participating parties in the exploration have or are developing a so-called proactive policy and process to ensure data quality. This policy includes, among other things:

• Data agreements are used to record agreements on data quality between data owner and data user, including on accuracy, timeliness, and completeness.
• The timeframes for retaining data and who bears responsibility for this are documented.
• A distinction is often made between critical data, which is material for a business process, and non-critical data, to determine the appropriate types and degree of control.
• Structural control processes have been set up regarding the correctness and completeness of (ESG) data.
• Some asset managers have stated that they also perform ad-hoc controls on data quality in some cases, for example, regarding notable outliers and potential new investments.
• One asset manager is trying to improve data quality by contributing to sector initiatives for standardization.

Reactive data quality policy and control process

The exploration has shown that all asset managers also have a so-called reactive data quality policy translated into an embedded control process. This occurs when irregularities are found between the (purchased) data of different external providers, between the output of different (ESG) data sources, or between internal data calculations and data from external providers. These irregularities come to light, among other things, during the structural quality controls performed by asset managers or when data users report problems with the data.

Feedback loop to external providers

When asset managers identify irregularities in the (ESG) data in a dataset from an external provider, all asset managers contact the respective provider. They require the provider to register the incident and conduct necessary investigations, and to inform them as soon as possible of corrective measures. A few overwrite the relevant data points in the dataset themselves after receiving feedback from the external provider.

Data enrichment

The exploration revealed that asset managers generally only use backward-looking ESG data, even when making estimates if no data points are available for a specific issuing institution. Only a few include forward-looking estimates for listed investments to enrich internal data, for example, by conducting analyses of future macro and micro trends.

The asset managers who participated in the various phases of the exploration have all documented both proactive and reactive policies, and set up the associated control processes, to check the quality of the required (ESG) data. This ensures that correctness and completeness are checked prior to the internal processing of (ESG) data, and irregularities in the use of data can be corrected. It is important that asset managers remain critical regarding the quality of (ESG) data and, where possible, perform their own controls to ensure data correctness.

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

3. Challenges

The exploration also revealed a number of challenges regarding the acquisition and use of ESG data.

Methodologies

Transparency regarding the methodologies of external providers is lacking. This makes it difficult to compare data from one provider with data from another provider. It also appears that there is often no consensus on the methods to arrive at ESG indicators. This is the result of the large (and rapidly growing) number of ESG data providers, the different ways of collecting data, and the fact that external providers use different definitions for the same data points.

These challenges are difficult for asset managers to overcome themselves.

Uniformity

Another challenge is the lack of uniformity in the delivery of data by ESG data providers or by companies in which investments are made. This increases the chance of data errors. A number of asset managers are trying to mitigate this risk by requiring that ESG data be delivered in prescribed formats.

Timeliness of data

Asset managers also encounter the issue that the timeliness of data is not always guaranteed, as companies usually only report once a year. This is addressed by a few through the application of so-called freeze periods. This means that the data used is fixed as of a certain date and is no longer changed thereafter. In this way, it is ensured that further processing is based on the same data, even if later data reports are released.

Linking to the correct company

Finally, it sometimes proves difficult to link data to the correct company due to complex legal structures and very similar names. As a possible solution, participating asset managers suggest the use of LEI codes, as ISINs are not always available.

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

4. Next Steps

The AFM expects asset managers to continuously pay attention to honest and orderly business conduct. This also includes the adequate management and integration of sustainability risks into business operations and investment policy. An important prerequisite for this is ensuring safeguards regarding the reliability and independence of ESG data. The observations from this exploration can further help asset managers in setting up processes, systems, and internal controls for risk management regarding ESG data.

The AFM will continue to pay attention to the various aspects of risk management at asset managers in the coming period, including risk management regarding the use of data in general.

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

Appendix 1: Research Design

The preceding chapters contain the observations that can further help asset managers in setting up processes, systems, and internal controls for risk management regarding ESG data. These are based on an exploration conducted by the AFM among 6 asset managers, and the additional insights the AFM gained from another 4 asset managers during a roundtable discussion on this topic. This appendix describes the research design.

The exploration was conducted in three phases and took place in the second half of 2023 and the first half of 2024.

In phase 1, the AFM sent a questionnaire to 6 participating asset managers. The questionnaire contained questions about ESG data and/or ESG data products obtained via the services of one or more external providers (referred to as 'external ESG data') and questions about ESG data obtained directly from the issuing institution or calculated by managers and investment firms using their own applied or developed methods (referred to as 'internal ESG data'). These questions focused on 4 specific themes regarding (ESG) data management:

1. Data governance
2. Data design and use
3. Risk management
4. Data quality

The 6 asset managers to whom the information request was sent were selected, among other things, based on 'assets under management' (AuM) and 'dominant investment strategy', to arrive at a selection representative of the entire asset management sector. These asset managers use ESG data for various purposes. This varies from the selection and monitoring of investments, reporting to clients and stakeholders (including regulators), to risk management.

In phase 2, in-depth interviews were conducted with 4 of the 6 participating asset managers. These asset managers were randomly selected. The goal of the interviews was to obtain further information on how they have set up risk management regarding ESG data within the organization, and what choices they made in this regard. To strengthen market insight regarding ESG data, the AFM also held informational interviews with 2 providers of ESG data at the beginning of the exploration.

Based on the information obtained from phase 1 and phase 2, the AFM arrived at a number of observations. These observations formed the basis for phase 3.

In phase 3, a roundtable discussion took place. The roundtable discussion aimed to further investigate the observations from phase 1 and phase 2 and to gauge the broader thinking in the market. The group present therefore consisted not only of asset managers who participated in phase 1 and/or 2 of the exploration, but also of 4 asset managers who had not previously been involved in the exploration, and the industry organizations DUFAS and VV&A.

---

AFM Exploration of ESG Data Risk Management by Asset Managers TOEZICHT RAPPORT

Appendix 2. Identified (ESG) Data Risks with Description

This appendix contains an overview of the risks surrounding the use of (ESG) data identified by the participating asset managers. These risks do not necessarily need to be relevant for every asset manager (to the same extent). Moreover, this is not an exhaustive overview. Asset managers may also identify other risks.

Risk	Description
Operational Risk	• Incomplete or incorrect administration of investments and transactions<br>• Incorrect follow-up of investments due to erroneous processing and analysis of information
IT Security and Business Continuity Risk	• Availability of information systems not guaranteed<br>• Integrity and reliability of files not guaranteed
Data Quality Risk	• Timeliness, completeness, correctness, availability of data not in order.<br>• Consequences: incorrect representation of reality (greenwashing) and wrong investment decisions
Data Management Risk	• Sl...