Recent events have tested many firms’ operational resilience to the limits – not least in the funds industry. In the face of a global pandemic, and with the majority of staff operating from home, asset managers, distributors, intermediaries, custodians, administrators and investors have all had to find new ways of working while providing continuity of service in a secure environment.
For some, this has meant drawing on a pre-scripted business continuity plan that goes beyond recovery sites to a fully distributed remote access environment. For others, it has required fast footwork and a lot of creativity. In both cases, the mutual dependency of different players within the financial services ecosystem puts a huge strain on communications and workflow when access to office systems is at one, perhaps untested, remove.
Meanwhile, security issues multiply. The European Commission has warned of a notable rise in cyber crime across Europe as hackers exploit the COVID-19 theme.
Regulators step up the pressure
Operational resilience is now a big issue for the regulators worldwide. A paper produced last year by The CityUK and PwC said: ‘Regulators are looking to treat operational resilience on a par with financial resilience.’ That was before the onset of COVID-19.
Since then, Britain’s Financial Conduct Authority (FCA) has promised to review firms’ business resilience and their ability to support clients. It has repeatedly stressed the importance for asset managers of having contingency measures in place to mitigate the impact of any disruption within their own business or that of their service providers. Business continuity planning is now high up the agenda.
Other regulators are moving in the same direction. The Australian Prudential Regulation Authority (APRA) tightened its standards on business continuity management three years ago. The Australian Securities & Investments Commission (ASIC) produced a consultation paper in 2019 proposing new market integrity rules for market operators and participants ‘that promote technological and operational resilience of their critical systems’.
Similar moves are afoot in the US, EU, Hong Kong and Singapore. In a recent paper, KPMG commented: ‘There is an increasing focus on the response and recovery of financial institutions to operational disruption.’ The regulators want to see defined recovery plans that enable the resumption of key business services within threshold tolerances.
Resilience is now a governance issue
That is not all. Increasingly, regulators want to see evidence of a structured, governance-based strategy involving top management and not just IT professionals – one that is built on end-to-end management information processes and operational understanding at the top level.
Regulators want to see risk frameworks that identify the maximum tolerable disruption, where all key operational vulnerabilities are tested on a regular basis. That framework needs to encompass all third-party supplier relationships. Given the speed of technological innovation it should also take in change management, the single biggest cause of technology outages in the City of London over 2017-18, according to the FCA.
Cyber security should clearly be one critical area. There is already an established framework for dealing with cyber security, laid down by the US National Institute of Standards and Technology (NIST). This breaks the security workload into five areas under the headings Identify, Protect, Detect, Respond and Recover. It provides not only a structured approach to the cyber challenge but also a frame of reference for approaching operational resilience and business continuity planning as a whole.
Building resilience into everyday processes
Resilience, however, is about more than crisis planning. It is also about building robustness into everyday processes and reducing vulnerability. Technology has a big role to play here. At Calastone, our funds network provides a fully digitised environment that optimises day-to-day operations using one online management system. It automates our clients’ fund transactions, trade management, reporting and transfers.
Automation and full straight-through processing drive out risk and build robustness. We reinforce that robustness through regular testing.
The recent rise in transaction volumes adds to the pressure on intermediaries, such as the UK’s transfer agents (TAs), who have a critical role to play in ensuring correct daily fund valuations and processing fund transactions in a timely manner. If they are to meet tight deadlines, they need systems that are not only efficient but operationally robust. We support one of the larger TAs by engaging in daily ‘health checks’.
Each morning, ahead of the main flow of trades, we conduct a number of trade simulations on a range of funds for different firms to validate connectivity. Failure to receive a rejection within five minutes raises an alert, giving the TA time to investigate before any dealing begins. As a matter of course, we monitor connectivity and average response times, allowing us to flag any issues at an early stage. And we test our secondary server connections on annual basis.
Calastone: structured for home working
With our ability to onboard new clients and deliver solutions within days, we are perfectly structured for home working. Our Execution Management System is designed to allow clients to operate from any location in complete security (see box). Where there are counterparties who still communicate by fax, we can work to connect them to our systems at speed. Meanwhile, a ‘live chat’ function lets clients communicate directly with our operations team.
The ability to sustain normal working in a very abnormal period is a challenge for everyone in the funds industry. For some it will have been a steep learning curve. One thing is certain: the regulators will have been watching closely and are highly likely to return to the issue of resilience at the earliest opportunity.
EMS: Keeping everyone connected
Calastone lets firms trade via its Execution Management System (EMS), a highly secure and robust portal that provides a view of a firm’s interactions across the markets in which they operate and access to a suite of additional services, including dividends, reporting and transfers.
At a time when secondary connectivity is a major part of any business continuity plan, EMS is being used to allow clients to operate normally from any location should they have technical issues with their primary connection or the technology stack it connects to.
EMS is there to provide all the support firms need in a distributed work environment by enabling:
- Secure, remote monitoring of all trading activity through our secure user interface
- Easy and secure sharing of statements and other data with colleagues
- Manual processing of transfers if STP link cannot be accessed
- Ability to contact our ‘live agent’ to discuss any issues
Where a firm has counterparties that are still processing transactions manually or by fax – and where home-working complicates the exchange of paper forms and ‘wet’ signatures – we can provide those counterparties with access to our systems.