SREP Market Overview: Feedback on Key Findings

ANALYSE SECTOR IN BEELD JULY 2024 SREP Market Overview: Feedback on Key Findings

In Brief As of January 1, 2023, the Supervisory Review and Evaluation Process (SREP) guidelines for investment firms have been implemented. In 2023, the AFM sent two SREP questionnaires to 240 investment firms. These include asset managers, managers of investment undertakings with a MiFID top-up, proprietary traders (HERs), and trading platforms. In this SREP Market Overview, we provide a market-wide feedback on the results regarding honest and orderly business conduct.

Introduction Based on this feedback, you can determine whether you can still make improvements to your business conduct. The emphasis has been placed on a number of striking observations in the areas of ICT control, Product Approval & Review Process (PARP), governance, asset segregation, and management.

First Observations ICT Control Good ICT control is important for three reasons, in addition to ensuring the institution's business processes:

1. It reduces the risk of misconduct in the chain (in the case of outsourcing);
2. Cyber risks in the asset management market are increasing. This can lead to disruptions in the service provided to (end) customers;
3. New legislation and regulations are coming for the sector (DORA). Good ICT control is the basis for DORA compliance.

In the first SREP inquiry, investment firms were asked to estimate the maturity of their ICT risk control level. For this purpose, a selection of control measures from the DNB Good Practice Information Security was used. Surprisingly, many investment firms appeared to be relatively unfamiliar with the DNB Good Practice Information Security and/or were engaging with this method of inquiry (a self-assessment) for the first time.

The second inquiry consisted of more closed questions. It emerged that a third of the investment firms can still make an improvement regarding the setup and/or management and/or establishment of their ICT risk management framework. This is striking, because a established ICT risk management framework is the starting point for good ICT risk control. In the ICT risk management framework, the institution indicates how it deals with risks in the field of information security.

Furthermore, the results show that one in three investment firms does not regularly perform risk analyses. Investment firms run the risk of not being aware of all current and potential (cyber) threats they face.

Finally, it was noted that many investment firms do not perform a Business Impact Analysis (BIA) and/or do not have a risk action plan. A BIA and a risk action plan are two different things: after a risk analysis, you make a plan to reduce a risk, which is the risk action plan; a BIA is made as the starting point of your Business Continuity Plan (BCP). A risk action plan states how companies deal with risks that are not sufficiently reduced by existing security measures. In the absence of a risk action plan, risks can cause significant damage to the relevant investment firm and/or the financial system.

Figure 1. ICT Risk Management

What do we see in Figure 1? What percentage of companies assesses its ICT risk management as sufficient? In this table, the score is broken down into several elements that are part of the ICT risk management framework.

Most investment firms state that they have established an independent control function responsible for the management and supervision of ICT risks.

The SREP results also provide an image of the ICT control topics that investment firms seem to find difficult. This specifically concerns testing their digital operational resilience and testing the Business Continuity Plan. By testing regularly, a company gains insight into the actual resilience of their processes and systems.

Many investment firms give themselves an insufficient grade regarding crisis communication plans. The guideline used is that companies have difficulty with a topic when less than 75% of companies score sufficient.

Product Approval & Review Process A well-structured Product Approval & Review Process (PARP) is important because:

1. It explicates the product and distribution strategy;
2. It provides insight into the balanced trade-offs that must be made when bringing new products and/or services to market;
3. It forms the basis for the elaboration of (chain) processes.

There is still work to be done in the area of PARP. Too many investment firms (more than 20%) incorrectly believe that PARP does not apply to them.

Some investment firms believe that PARP does not apply to them because they only offer asset management or provide investment services. Other investment firms think they do not need to do anything with PARP because they do not create their own products, only work with professional relationships, or exclusively select external investment solutions. Even in the above circumstances, investment firms must have a PARP.

0 100 250 Number of Institutions Sufficient Insufficient No data Estimation of the maturity of the ICT risk control level on various components: % that scores sufficient Information Security Policy 73% IT Policy Management 71% ICT Risk Management Framework 69% IT Risk Assessment 70% Risk Action Plan 64% IT Risk Control Assigned to Control Function 80% Continuous Identification of IT Risks 74% (n=251)

SREP Market Overview 3 ANALYSE SECTOR IN BEELD The Product Approval & Review Process improves in quality when: a. A question is viewed from multiple perspectives. For example: not only from Legal Affairs and/or Compliance, but also from risk management, operations, and product management. b. Multiple aspects are included in the assessment, such as defined target group, distribution strategy, and method of information provision. Also, a clear separation of responsibilities, testing of scenarios, and not forgetting a periodic evaluation of products and services belong to the process. c. The target group determination is carried out in a structured manner. This involves elements such as risk tolerance, sustainability, investment horizon, customer location, knowledge and experience, and costs.

Although the Product Approval & Review Process does not apply to all parties (such as HERs), it appears from the figure below that a third of the investment firms for whom the obligation applies do not have a PARP process in place and/or that the setup leaves much to be desired.

Figure 2. SREP Scores PARP How do institutions set up their PARP process? Approximately one-fifth of the institutions has set up an inadequate PARP process. Adequate (129) Strong (0 institutions) Weak (26) Inadequate (43) (n=198)

What do we see in Figure 2? The graphical representation of the SREP scores on PARP. Based on the analysis of the results of this first SREP-PARP, it can be concluded that 2/3 of investment firms have set up the PARP adequately. One in three investment firms, for whom it is expected that they have set up a PARP, scores insufficient ('weak') or has not even set up a PARP ('inadequate').

Governance: Policy and Internal Control In the first SREP inquiry, an inventory was made regarding the theme of internal risk control. This includes, among other things, policy documents, (risk) frameworks, codes of conduct, and procedures.

Good governance is important because it provides insight into how the company:

1. Is structured with a view to ensuring the necessary separation of functions;
2. Guarantees the effectiveness of control measures;
3. Ensures an adequate and current translation of legislation and regulations into procedures and processes.

A very large majority (>90%) states that they have policy on the theme of 'internal control'. However, this does not immediately mean that they have documented this policy well or that this policy is well implemented. A significant portion of investment firms (20%) still needs to establish (and implement) policy on other themes, such as entering into loans and/or other transactions with executives, and implementing the whistleblower regulation.

Asset Segregation Good asset segregation is important because it contributes to:

1. The improvement of investor protection;
2. The financial stability of the sector;
3. Orderly business conduct through clear administrative structure and control.

SREP Market Overview 4 ANALYSE SECTOR IN BEELD The results show that investment firms seem to have little insight into the services provided by (their appointed) custodian banks. Clients of these investment firms benefit from this insight.

Especially in the institutional segment, investment firms state that they are not always aware of the agreements made between the institutional investor and their custodian bank. This is particularly true regarding the subject of securities lending. If an investment firm is insufficiently aware of how institutional investors have structured their safekeeping function, this can impact their business conduct.

An investment firm must also be able to provide information to clients about what happens to their securities in the context of securities lending. If an investment firm uses multiple custodian banks - one of which lends securities and the other does not - clients must know this. Additionally, it is relevant whether the client also receives the full proceeds from the lending.

Management In the inquiries regarding the structure of management, the composition and involvement of the board, the separation of functions, and the (ongoing) suitability of executives were examined. Measuring these aspects is important because a healthy composition, availability, and involvement are a prerequisite for:

1. The continuity of the investment firm;
2. Ensuring the necessary separation of functions;
3. The ongoing assessment of suitability.

A third of investment firms state that they have a 'compact organization'; an organization where the board itself makes all reports and/or is so involved in daily business operations that they are always aware of the course of events in this way. But 'being aware' is not sufficient.

Involvement of the board, and the separation of functions, must be formally documented.

180 respondents provided insight in open questions into the extent to which the board of their company is aware of the activities, financial situations, and related risks. A third to half of these investment firms are at least regularly aware of developments.

In a market that is in full motion, which is reflected, among other things, in takeovers, mergers, partnerships, and/or changes in the business model (including outsourcing), the AFM notes that 40% of the parties state that they have never or not recently (in the past six years) had contact with the supervisor regarding significant changes in the organization and/or changes in the suitability of executives, while it is mandatory to report such matters to the AFM.

Figure 3. Open Answers to Some Management Questions Structure of Management One-third of respondents (n=251) finds that there is a 'compact organization'. One-third to half of respondents (n=180) finds that the board of their company is regularly aware of developments in activities, financial situations, and related risks. 40% of respondents (n=251) states that they have had no contact with the supervisor in the past six years regarding significant changes in the organization and/or changes in the suitability of executives.

What do we see in Figure 3? In this figure, the analysis of the open answers to some questions regarding the theme of management, as described earlier, is graphically represented.

SREP Market Overview 5 ANALYSE SECTOR IN BEELD Methodology and Scores The AFM focuses on the parts of the SREP inquiries that concern orderly and honest business conduct. However, this domain is broad. The AFM therefore chooses to request the various parts, such as risk management, outsourcing, remuneration policy, leadership & culture, in phases. The results are converted into so-called SREP scores. SREP uses a continuous rating from 1 to 4, where 1 stands for strong control and 4 indicates inadequate control of the relevant risk. Within this system, 2 stands for adequate and 3 for weak.

New Inquiry in September Our next SREP inquiry will take place in September 2024. You will be informed about this in detail. In addition to some recurring data fields that contribute to the image of business conduct, we will this year, among other things, focus on complaints and incidents, outsourcing, and remuneration policy. A few weeks before the questionnaire is opened for answering in the AFM Portal, you will receive the announcement letter and a PDF of the questionnaire for preparation.