Compliance risk management for private equity & hedge funds
Running an alternative fund management business has become a far more considered, strategic affair in the light of significant regulatory changes post-08. One might compare it to the ultimate game of strategy, chess. To stay in compliance with AIFMD, Dodd-Frank, and the upcoming MiFID II and General Data Protection Regulations (GDPR) in Europe, fund managers have to think two moves ahead, and ensure that they have their pawns in position. One wrong move and they run the risk of facing what might be best described as regulatory checkmate.
"I think the implementation of AIFMD has had the biggest impact on private equity fund managers," says George Ralph, Managing Director of RFA in London. "Things were far less regulated before that, but over the last three years a number of challenges have stemmed from AIFMD, such as updating internal organisation requirements. Because of this, private equity managers have had to place more emphasis on compliance."
Those operating at the larger end of the AUM scale have hired Chief Compliance Officers in response to the internal pressures of operating in a more heavily compliant environment, making sure the requisite processes and procedures are in place.
This shift towards greater compliance has placed greater emphasis on the need for a clear risk management framework, of which technology risk is a core component. Advances in technology mean that while the compliance burden has increased, much of it can be automated and monitored, either in-house or by outsourcing it to a trusted IT vendor.
Ralph states that risk has to be managed at the board level and that in order to do that "you need to have the right people in place to translate that risk to enable the board to make informed decisions".
It could be that the firm accepts the risk because the likely impact will be low, or that they outsource it if the manager feels they are unable to mitigate it entirely, in-house.
"With our clients we log all the risks and measure them in terms of likelihood versus impact. Then they are prioritised and allocated to individuals. We then encourage our clients at every board meeting to talk about the top five or top 10 risks and whether they are happy leaving the mitigating action as it is or whether they should invest in a different approach to reduce the likelihood," says Ralph.
In his experience, Ralph confirms that as much as 50 per cent of private equity managers have no risk management process in place, from a technology perspective. They just assume that whoever their IT providers are do it for them. Of course, one cannot transfer risk, as this would be to abdicate one's responsibility. "It's your business and your risk. You cannot outsource it and forget about it."
Chris Thear is Chief Operating Officer and Chief Financial Officer at Ledbury Capital Partners LLP, a London-based hedge fund.
Discussing how regulation has changed the operating landscape, Thear notes that it is not just about understanding the rules but acting in accordance with them with technical proficiency. Something he calls the `operations of compliance'.
"You can hire advisors, lawyers and compliance consultants, as we do, to understand the rules and get to the point where you know what the rules are. But increasingly, you have to be technical in your ability to deliver upon that requirement.
"For example, AIFMD and Annex IV reporting, which is essentially an XML file being sent into GABRIEL. That is a technical report and what you increasingly find is that the CCO's role is becoming more technical, more operational. You need more technical literacy and I think that is only going to increase. It's the operations of compliance that has been the key change as a result of all of this regulation," comments Thear.
Consider short selling rules under ESMA: the trigger for monitoring trades and how you produce a report is consistent across European jurisdictions. However, how you report shorts in Germany versus the UK can be different in terms of how one technically produces it. That bifurcation of regulation brings challenges to fund managers. Firms need a lot more systematic processes in place; look at Market Abuse Regulation, which came into effect in the UK on 3rd July 2016). Performing trade surveillance is a systematic process.
"People talk about having enterprise regulatory risk management and I totally agree with that. Alongside that, you also need enterprise data management capabilities," states Thear.
There are, currently, three key compliance risks that have become a focal point of all alternative fund managers: MiFID II, GDPR, and, more broadly, cyber risk.
Much has been written on the second iteration of the Markets in Financial Instruments Directive (MiFID II), which comes into effect on 3rd January 2018, the technicalities of which cannot be covered in this report. Suffice to say it will likely require fund managers to make significant changes to their systems, governance and controls & procedures.
One of the first preparatory steps to take is for fund managers to gain a clear understanding of exactly how the regulation will impact them through an impact assessment and gap analysis, in order to create a detailed roadmap towards compliance.
Developing an implementation project plan is not an easy task and will require a joined up analysis across the various functions of the firm. Some key areas of focus will centre around commissions, the use of research and how it is paid for going forward; obligations around best execution; transaction reporting and record keeping; as well as regulatory reporting, data management and phone recording.
RFA is engaged in helping PE and hedge fund groups prepare for this regulation from a technology perspective. Ralph says that it is necessary to identify the gaps in clients' current communications and data management infrastructure, identify data retention requirements, work out the data lifecycle to determine where and how each manager will need to store their data, and finally, "to identify a trusted partner who can manage their infrastructure in compliance with the new regulation."
"We've spoken to clients about how we can help them with data categorisation, and how they are going to manage and report on the regulation surrounding voice and video recording, mobile phone recording. How will this be managed if it is on someone's personal mobile versus their business mobile? We even have clients asking us about recording landline communications.
"Under MiFID II, managers are going to have to store this recorded data for up to seven years. Most clients only have something in place to store recorded data for up to 12 months, because it is prohibitively expensive," explains Ralph.
Admittedly, given the nature of how they invest, the data management challenges for PE managers are less significant than hedge fund managers who trade more frequently. In Ralph's opinion, PE managers are more concerned with who they can bring in to help them, from an IT perspective, as opposed to worrying about the minutiae of reporting. "They don't seem too concerned by the impact of MiFID II. It might be that for the structure they have in place and the CCO they have in-house they are well covered," suggests Ralph.
The Head of IT and Infrastructure at one of the UK's best known private equity groups, who asked to remain anonymous, points out that the British Private Equity & Venture Capital Association (BVCA) does an excellent job of lobbying the regulators on behalf of PE managers, and that until all of the details of MiFID II have been finalised, it is hard to know exactly how it will affect private equity groups.
"I do think MiFID II will make the private equity space more transparent in what we do. We already report as if we were a public company. We always have been transparent with our quarterly and annual reports but I feel, for a lot of smaller more secretive PE firms, it is going to place a significant impact on them," he says.
In some respects, the MiFID II rules that reference the recording of electronic communications are an extension of FCA compliance rules COBS 11.8 Recording telephone conversations and electronic communications. Specifically, section 11.8 relates to the recording of telephone conversations and electronic communications. As Ralph mentions above, this will require PE managers to move from storing data from six months to up to seven years.
"This is something that the BVCA will lobby the regulators on. As a PE manager, we are not really receiving or executing client orders as a hedge fund would, so we are hoping for some degree of pushback on this. Either way, we as a firm need to be ready, if it does happen. We have all our contingency plans in place and properly budgeted, just in case," confirms the PE manager.
With respect to hedge funds, they are creators of data. These internal sources of data are held in different systems within the firm, or with a custodian. MiFID II will require managers to collate that information too, to such a standard that they regulatory report on it.
"For example, there are going to be requirements to transaction report, including details on who made the trade decision, who executed the trade, what their personal details are. As such, fund managers are creating huge amounts of internal data so it is incumbent to have enterprise standard data management capabilities.
"That is something we have focused closely on here at Ledbury Partners, creating the systems and processes to collate the information – both high quality, normalised external data from Bloomberg and others, and internal data sources – and bring it all together so that we have the full lifecycle of data. This requires an understanding of technical architecture," says Thear, reaffirming his earlier point on the `operations of compliance'.
He says that to cope with this, Ledbury uses a hybrid approach combining best-in-class off-the-shelf systems with internal developments (e.g. proprietary databases). "Once all the data has been structured properly, applying an overlay of applications to support the business, such as for regulatory reporting, works very well for us.
"We have relationships in place with tier one compliance and IT vendors and in order to give ourselves a bit more operational leverage we outsource certain functions, coupled with strong oversight, to those firms. With respect to compliance consultants, for example, we've already begun GAP analysis and risk assessment on MiFID II, and that will be an evolving document," says Thear.
GDPR will impact alternative fund managers – and all businesses for that matter – in terms of how they classify, store, manage and protect personal data.
Ralph thinks there is a clash between GDPR and MiFID II, in relation to recording trading activities. Say, for example, you have a video conference with an investor discussing a trade idea, an M&A deal; whatever it may be. And during that discussion, the investor reveals some personal information: maybe they mention they are going to their holiday home in Portugal. In that instance, the GP will have to destroy that content as it would be regarded as `sensitive data' under GDPR.
"People will have to find methods of deleting sensitive data because they will not have consent from the client to store such sensitive data. As an investor, you also have the right to be selective and specify which data you want a company to hold on you. There is a real conflict between the two regulations.
"From a risk perspective, the impact of a data breach to a firm is that they could face a maximum 4% penalty, based on their annual global turnover. They key point I've been making to clients is that realistically, if they can prove that they are trying to be compliant, it's unlikely they will be fined," says Ralph.
There are two major elements of GDPR for PE firms to consider, from a risk perspective.
Firstly, if they are working with niche service provider who are heavily reliant on a small number of clients, and one of those clients suffers a breach, because they are a data processor that service provider will be fined up to 2% of their total revenue. Potentially, that service provider might only make a margin that equates to 2% and end up going bust.
"If they are hosting any of your data, that will present a business risk. People need to think more about the financial stability of the companies and trusted partners they work with, as well as the security elements that they have in place," stresses Ralph.
The second risk is more political in nature. As Ralph explains: "Currently, we are governed in terms of data protection by the Information Commissioner's Office. When GDPR comes into effect, the ICO will report to the EU Data Board. With Brexit, my concern is will the EU Data Board start to pinpoint UK companies as a sort of punishment beating, to make an example of them? That presents a potential political risk to GDPR."
The biggest risk to any PE manager is reputational risk.
"I think the financial impact on the service provider is less of a concern than the reputational risk this could have on the manager. You can't put a price on that. That makes managing reputation risk quite a challenge. It's a risk you can't fully mitigate against," says the anonymous source.
They point out that GDPR is not simply a technology project, it's about proper processes and controls, and risk management: "In my view, no firm will ever become fully GDPR compliant. It's a nirvana you're never going to get to. But putting controls and policies in place means that if you have an issue, and you get investigated by the regulator, you can at least demonstrate that you had controls in place, data transfer agreements in place with vendors, etc.
"An LP doesn't really care who the data processor is, even though GDPR places liability on them as well. If I were an LP, I'd be looking at the data controller; the onus lies with them to protect personal data."
Thear confirms that Ledbury is reviewing its counterparty contractual arrangements, particularly with IT partners who are data processors: "We will look at our IT estate and make sure we are locking it down in terms of data leakage. I think one of the big things to focus on is, should you have a data breach, the consequences will be far more onerous under GDPR. You are going to have make sure that your data is securely encrypted, and given to those on a need-to-know basis."
Ralph recommends the following practical steps to prepare for GDPR and mitigate the risks involved:
- Knowledge is power. Evaluate your existing data – understand where it is, why you have it, how old it is, who it belongs to and if the subject has given consent for you to hold that information.
- Plan to carry out a Data Privacy Impact Assessment before processing any new personally identifiable information.
- Map your data against GDPR regulations, specifically; categorising data so that it can be safely deleted at the end of the timespan, if the data is no longer needed for the original purpose, or if the subject requests it.
- Ensure the data is stored according to GDPR regulation. Data should be secure. Tokenising or encrypting data will keep it secure and authentic. Data should be portable. Use non-proprietary systems with open standards where possible, and ensure that all data and associated files can be transferred to another system when needed.
- Understand the risk of non-compliance. Fines of up to GBP17 million or 4% of annual turnover can be levied.
- Consider trans-Atlantic data transfers and client handling activity, and ensure GDPR activities also meet US regulations like Privacy Shield.
- Update internal policies and processes. Review and update privacy notices and create a GDPR compliant process for data access requests. Plan how requests to move or transfer data will be addressed.
- Ensure widespread buy-in. Gather key company stakeholders and get them to read, input into and agree your GDPR action plan. Involve representatives from each department, front office, HR, PR, the board of directors, legal and compliance.
Again, much has been written in the media about the increasing sophistication of cyber attacks, as evidenced most recently by the WannaCry and NotPetya ransomware attacks, which brought chaos to global networks.
At a high level, alternative fund managers should realise that cybersecurity and GDPR are one and the same: the common denominator is data management.
RFA was recently certified by GCHQ to do GAP analysis on GDPR, which was an extension of its existing certification under cybersecurity. This means that RFA is fully certified as part of the IASME governance standard.
Private equity groups are becoming more vulnerable to cyber attacks as they adopt digital platform technology. Indeed, many are still relatively low-key in terms of the IT infrastructure, and requisite risk management framework, they have in place to best protect them from cyber crime.
"The firms that we support in the PE space tend not to use institutional-quality technology; they typically have standard spam filtering technology, firewall technology, etc. What tends to happen is they have a breach or a scare, and go and ask advice from someone they know, and that person will recommend an IT partner (such as RFA).
"We will then go in and perform the GAP analysis. That's when we might discover that they have holes all over the place and we advise them that they need to invest some of their budget in technology in order to stay protected. Private equity managers trust their partners and assume it's an IT issue. But it's not. Cybersecurity is a business issue," stresses Ralph.
The anonymous source acknowledges that the percentage of budget the group spends around information security has grown in response to the growing cyber threat landscape, confirming that senior management "are much more aware of the risks".
"We are not yet at the pinnacle. Cyber attacks are going to get worse. If you look at the industry, it is worth USD384 billion (Forbes) whereas for the US government, who have probably spent the most on cyber defence, that figure is somewhere around USD30 billion; the figures are totally skewed. If you, as a business, think the government are going to help you, you're mistaken. They will help critical infrastructure to keep the country running. If you're a private business, you're on your own," they state.
While PE managers might dedicate time and resources, internally, to developing a strong cyber posture, one of the unique challenges that they face is that they must also factor in the cybersecurity posture of the underlying companies they invest in.
RFA helps in this respect by auditing the portfolios of its PE clients. Ralph confirms that during a cybersecurity audit that it performed a client last year on 46 companies in their portfolio, approximately 17 of them needed upgrades to their security.
"For four or five of the portfolio companies, we replaced their IT vendors altogether because they didn't have a clue what they were doing. One of the portfolio companies didn't even have antivirus software on their machines.
"A lot of our competitors don't get involved in auditing portfolio companies at all. We want to get involved more in the business side of what our clients are doing. Reputational risk is arguably worse than suffering a cyber breach," asserts Ralph.
If a portfolio company were to get breached, the first thing the media would say is, `Company X, owned by private equity group Y'. That is the reputational risk that one must think about in relation to cyber risk.
"We have to look at our portfolio companies and understand the business vertical they are in, and what risk, further up the chain, could be on our shoulders.
"What is gradually coming more into the market is that when a PE manager conducts M&A work, they are performing technology due diligence to see whether the target company's network has already been compromised. The issue you have now is that a network might be breached 180 days after it is first compromised. If you buy a business and it's already been compromised, you can't retrospectively say to the regulator, `This company was compromised before we owned it'; you absorb that risk completely.
"This has become an important element of our final due diligence. It's very intrusive but it's something that you need to know and to fix as part of your 100-day plan," outlines the UK PE manager.
There is no doubt that compliance has become more technology-driven in response to growing regulation. As such, this introduces technology risk into an organisation.
Private equity groups need to ensure that they have a technology risk management process in place to not only operate efficiently, but to respond swiftly to any incident that could attract the regulator's attention.