Risk Management by AIF Managers Can Be Improved on Several Points

Dutch Authority for the Financial Markets Chamber of Commerce Amsterdam, no. 41207759 Reference of this letter: ZëCl-21053367 Visit address Vijzelgracht 50 Postbox 11723 • 1001 GS Amsterdam Telephone +31 (0)20-7972000 • Fax +31 (0)20-7973800 • www.afm.nl AFM - Public NeeZ.VZëCl-21053367 - Feedback on risk management investigation Date 26 October 2021 Our reference ZëCl-21053367 Page 1 of 7 Subject: Feedback on risk management investigation

Dear Management,

In 2020 and 2021, the Dutch Authority for the Financial Markets (AFM) conducted an investigation into compliance with statutory requirements regarding risk management among seven managers of investment institutions (AIFs) that received a license by operation of law in 2014. Through this letter, the AFM provides generic feedback on the results of this investigation to all Dutch AIF managers, including those who obtained a license after 2014. The AFM shares these findings with you so that you can take note of them and, where necessary, implement improvements in your organization.

Based on this investigation, the AFM has determined that risk management at most of the investigated managers meets requirements in most areas; however, the AFM sees room for improvement on several points. During its investigation, the AFM also identified several shortcomings, particularly in the area of risk management policy and the hierarchical separation of risk management and operational tasks. The letter below elaborates on the investigation and its findings.

This letter is structured as follows:

1. Background of the investigation

2. The investigation

3. Findings

4. Conclusion

5. Background of the investigation

In 2017, the AFM conducted an investigation among twelve managers with a license converted by operation of law for managing AIFs. Through this investigation, the AFM sought to form an image of the quality of business operations, governance, and asset segregation among a portion of the managers who had not yet been subject to an AFM assessment following the entry into force of Directive 2011/61/EU of the European Parliament and of the Council on Alternative Investment Fund Managers (AIFM Directive). This investigation revealed substantial room for improvement regarding the quality of risk management, outsourcing relationships, the appointment of a depositary, the compliance function, the prevention of conflicts of interest, and the prevention of money laundering and terrorist financing. On 23 January 2018, the AFM published the main outcomes of this investigation¹.

Subsequently, in November 2018, the AFM sent a questionnaire to managers. This questionnaire addressed the findings and best practices from the report of 23 January 2018. The purpose of this questionnaire was to determine to what extent the content of the report had prompted managers to implement changes in their organizations. The AFM communicated the main findings from the questionnaire responses to managers via letter of 18 November 2019 (reference CrRg-19072627).

Investigation into Risk Management

The AFM chose to focus on risk management for this investigation for several reasons. Risk management is an important part of a manager's business operations and is crucial for investor protection. The 2017 investigation and the responses to the November 2018 questionnaire revealed that parties did not always meet the requirements, particularly in the area of risk management.

The AFM aimed to determine to what extent the selected managers had implemented the applicable provisions regarding risk management. The investigation also explicitly aimed to ensure that the selected managers improved the quality of their risk management where necessary. The AFM now shares the outcomes of this investigation with all managers, so that managers who were not part of this investigation can also adjust their risk management if necessary.

In assessing the risk management of the participating parties, the AFM tested whether the managers comply with Article 33a, second paragraph, of the Decision on Conduct of Financial Businesses Wft (BGfo). This article stipulates that managers must have procedures and measures in place that ensure compliance with the conditions set out in Article 15, first, second, third, and fifth paragraphs of the AIFM Directive, which are established with regard to the interests included in the first paragraph of Article 33a BGfo. These interests concern orderly and transparent financial market processes, fair relationships between market participants, and careful treatment of clients and participants. Article 15 of the AIFM Directive is further elaborated in Section 3 of Chapter 3 of Delegated Regulation (EU) No 231/2013 of the Commission of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions for managers, depositaries, leverage, transparency, and supervision (AIFM Regulation).

The investigation assessed both requirements regarding the manager and requirements regarding the investment institutions.

2. The investigation

The AFM conducted an investigation among 7 managers who received a license by operation of law in 2014. This investigation consisted of a written information request, whereby the investigated parties had to answer several questions and provide various documents. In some cases, additional interviews were also conducted. All managers who were part of the investigation received individual feedback.

3. Findings

The AFM divided the assessment of this investigation into six themes. These themes are:

• The permanent risk management function
• Risk management policy
• Functional and hierarchical separation of the risk management function
• Precautionary measures to prevent conflicts of interest
• Risk limits, risk measurement, and risk management
• Testing, monitoring, and evaluating risk management systems

These themes are addressed in this letter where the AFM has made findings.

In this section, the AFM elaborates on the findings made during the investigation. Before presenting the findings, a brief explanation of the legal framework will be provided.

Risk Management Policy

Pursuant to Article 40 of the AIFM Regulation, every manager must establish, implement, and maintain an adequate and documented risk management policy. This risk management policy must identify the risks to which the AIFs managed by the manager are or could be exposed. The risk management policy forms an important pillar of the risk management system. This policy must be appropriately documented and include an explanation of the measures and procedures used to measure and manage risks. Additionally, precautionary measures for the independent execution of the risk management function must be included. The techniques used for managing risks must also be addressed, and the distribution of responsibilities regarding risk management within the manager must be described. These and other elements that must appear at least in the risk management policy are described in paragraphs 3 and 4 of Article 40 of the AIFM Regulation. The risk management policy must be proportionate to the nature, scale, and complexity of the manager's business and the AIFs managed by it, in accordance with Article 40, paragraph 5 of the AIFM Regulation.

The AFM has noted that for some managers, the risk management policy was not kept continuously up to date. For example, organizational changes resulted in a different structure for the risk management function, but these adjustments were not timely implemented in the risk management policy. The AFM emphasizes that managers have the obligation to keep the risk management policy continuously maintained and current. The risk management policy must align with current processes and structures within your organization; only in this way can the risk management policy serve to support the risk management function.

The AFM also found that in several cases, the nature of potential conflicts of interest was recorded very limitedly in the risk management policy and did not align with the specific situation of the manager. For instance, it was not stated that a person involved in the risk management function also held another function at an affiliated company, which is a situation from which potential conflicts of interest may arise. By not inventorying and recording potential conflicts of interest, precautionary measures to prevent these conflicts, as intended in Article 43 of the AIFM Regulation, may not be taken. The AFM expects managers to assess which specific conflicts of interest may arise within their organization and to subsequently take appropriate precautionary measures to prevent them. These must then also be recorded.

Hierarchical and Functional Separation of the Risk Management Function

Pursuant to Article 15 of the AIFM Directive, a manager must ensure functional and hierarchical separation of the risk management function and the executive tasks, including portfolio management. This means that persons responsible for and working in risk management must not be involved in operational matters, including portfolio management. This functional and hierarchical separation ensures that risk management can be executed independently and is sufficiently considered in decision-making.

The conditions for functional and hierarchical separation of the risk management function are recorded in Article 42 of the AIFM Regulation. This article states that, in addition to the requirement that persons in the risk management function must not be involved in activities within operational services, persons exercising the risk management function must not be directed by persons responsible for or working in portfolio management. Furthermore, persons involved in the risk management function must be rewarded based on their tasks in the context of risk management. This reward must not depend on the performance of the operational services, including portfolio management. The separated risk management function must be guaranteed at all levels of the manager's hierarchical structure, up to the governing body.

The AFM has noted that in a single case, activities regarding risk management and portfolio management were not fully separated from each other. For example, at one manager, activities regarding portfolio management were performed by an employee who was also tasked with activities regarding risk management. The portfolio management activities were performed by this employee when the portfolio manager was absent. In such situations as well, it is not permitted to combine risk management and operational activities.

Furthermore, during the investigation, the AFM noted that an employee involved in risk management sat on the investment committee of the investment company to which the manager had outsourced its investment policy. As a result, there was no separation of risk management tasks.

Pursuant to Article 15 of the AIFM Directive, risk management must be functionally and hierarchically separated from operational activities. This separation must be guaranteed at the management level by every organization, regardless of the size, composition, and/or complexity of the organization. Managers may rely on the principle of proportionality, as mentioned in the AIFM Directive, regarding compliance with rules concerning functional separation at a lower level. Article 42 of Delegated Regulation (EU) 231/2013 refers to the principle of proportionality in Article 15 of the AIFM Directive. The principle of proportionality implies that, when defining functional and hierarchical separation, factors such as the size, nature, and complexity of the organization are taken into account. If the AIF manager relies on the principle of proportionality, it must demonstrate that specific precautionary measures regarding conflicts of interest are adopted, which guarantee the independent functioning of the risk management function. The supervisor tests whether the adopted precautionary measures sufficiently guarantee the independent functioning of risk management activities.

Precautionary Measures to Prevent Conflicts of Interest

It is important that managers specify precautionary measures used to guarantee the independent execution of the risk management function. The minimum requirements for these precautionary measures are recorded in Article 43 of the AIFM Regulation. These precautionary measures must, among other things, ensure that persons performing risk management tasks do not receive conflicting tasks and are compensated in accordance with the realization of objectives related to the risk management function, regardless of the performance of the business activities in which they are involved.

Furthermore, it is important that the risk management function makes decisions based on reliable data that it can verify. There must also be an appropriate and independent evaluation of risk management tasks, and the risk management function must have the same authority in the management of the manager as portfolio management.

The AFM has noted that it is not always recorded in the remuneration policy that persons fulfilling the risk management function are compensated solely based on their tasks in the context of risk management. The AFM expects managers to include in their remuneration policy the basis on which persons involved in the risk management function are rewarded. The AFM also noted that in a single case, the risk manager worked for multiple affiliated entities and was not compensated from the manager for whom he or she was risk manager, but from another affiliated entity. This created potential conflicts of interest for which the manager had not taken mitigating measures. The AFM expects managers to critically examine their organization and thereby identify potential conflicts of interest. Furthermore, the AFM expects managers to take appropriate precautionary measures to mitigate these potential conflicts of interest and to record this in their policy.

Testing, Monitoring, and Evaluating Risk Management Systems

Article 41, first paragraph, of the AIFM Regulation describes the obligation of the manager to test, monitor, and evaluate the risk management systems at regular intervals, at least once a year, and to adjust them if necessary. For this, the soundness and effectiveness of the risk management policy and the arrangements, procedures, and techniques for risk measurement and management must be examined. Additionally, the extent to which the manager complies with the risk management policy and the arrangements, procedures, and techniques of Article 45 of the AIFM Regulation must be considered. This also applies to the effectiveness and soundness of measures taken to remedy any shortcomings in the execution of the risk management procedure. The exercise of the risk management function must also be examined. Furthermore, pursuant to Article 42 of the AIFM Regulation, the soundness and effectiveness of measures taken to guarantee functional and hierarchical separation of the risk management function must be tested. Finally, the first paragraph implies that the management must decide on the frequency of periodic evaluation in accordance with the principle of proportionality, taking into account the nature, scale, and complexity of the manager's business and the AIFs managed by it.

The second paragraph of Article 41 of the AIFM Regulation stipulates that managers must also evaluate the risk management system incidentally, for example, if significant changes are made to the policy or investment strategy of a managed AIF. Subsequently, the third paragraph implies that the risk management systems must be updated based on the outcomes of the evaluations referred to in paragraphs one and two. Furthermore, pursuant to the fourth paragraph, the manager must notify the AFM of all significant changes in the risk management policy and in the arrangements, procedures, and techniques referred to in Article 45 of the AIFM Regulation.

The AFM has noted that for some managers, the periodic testing, monitoring, and evaluation of risk management systems is not (fully) performed. For example, it emerged that some managers do not test their risk management systems annually.

Furthermore, it appeared that in several cases where risk management systems are evaluated annually, not all requirements of Article 41 of the AIFM Regulation are met. For instance, it was not tested how the risk management function is exercised in practice. Furthermore, the AFM noted, among other things, that the evaluation of risk management systems at one manager occurred solely on an event-driven basis instead of at regular intervals. Finally, it emerged that there are managers who record the execution of evaluations too limitedly, making it possible that adequate action cannot be taken on the outcomes. The AFM emphasizes the importance of periodic and comprehensive evaluation of risk management systems so that risk management systems can be updated in a timely manner (where necessary).

Conclusion

The AFM expects all managers to take note of the findings of this investigation and to implement improvements in their organization where necessary. The AFM will continue to pay attention to risk management at managers in its ongoing supervision.

Respectfully,

Dutch Authority for the Financial Markets

---

¹ Https://www.afm.nl/nl-nl/nieuws/2018/jan/verbetering-beheerders-beleggingsinstellingen