It may feel to some in regulated roles that they are being overwhelmed with regulatory change and required to master an ever increasingly complex brief. It is advisable sometimes to step back and assess matters from a high level, to ensure that basic principles of governance and operation are not lost amidst the detail.
A recent enforcement action against a fund management company (in Ireland, but just as relevant in the UK) reminds all those holding directorships or regulated roles of some of their basic obligations: in particular, with activities outsourced to others, for the need to have a clear structure of authority and to engage in an open and co-operative way with Regulators.
The circumstances involved a merger of two funds. The way the merger was executed resulted in a breach of UCITS Regulation 73(2) which permits a UCITS to invest no more than 20% of its assets in units of (another) single UCITS. The breach was ‘advertent’, in that it was caused by a deliberate action. As opposed to ‘inadvertent’, such as may happen due to market movement or other external events beyond the manager’s control.
Ordinarily an advertent breach of an investment limit would not result in regulatory sanction. Such breaches are typically immediately corrected, disclosed and reported accordingly, depending on their severity; with any impacted investor or fund recompensed.
What seems apparent here, is that not only should the breach never have happened but that when it did it was neither speedily nor appropriately managed. And all this was in a situation where there should have been awareness of the risks associated with the transaction.
A significant factor here was the extent of outsourcing and the lack of apparent connectivity between the fund management company and its delegates.
It is, of course, very common to see fund management firms outsource services, tasks and delivery. Under UCITS Regulation 223(1)(b) and (f), a fund management company is permitted to delegate activities to third parties. A wide range of functions, including the actual investment management of funds, investor fulfilment and many operational requirements are met by outsourced service providers or delegates, be they parts of the same group or third-party specialist providers.
The same Regulation also requires that such outsourcing does not prevent the management company or the UCITS from being managed in the best interests of the investors; and that measures are put in place which enable the management company to monitor effectively the activities of its delegates. This is reinforced by regulatory rulebooks (for example in the UK under SYSC 8 Outsourcing) reminding Boards that regulatory responsibility cannot be contracted away.
In this situation, there was clear lack of oversight and monitoring of those outsourced functions. Reports were claimed to have been sent to Boards but either never received or never read.
Other failings were also apparent. There was a lack of planning in the decision-making structure. The relevant role holder was away on sabbatical, with no arrangements apparently having been made to cover their absence.
After the breach had occurred, there was a lack of transparency with the Regulator. It was the Depository that reported the beach and not the fund management company.
All fund management company Boards and holders of regulated roles can learn from this action. It pretty much provides a checklist from which non-executive Directors, for example, could answer the Regulator’s clarion call to provide constructive ‘challenge’ to their fellow Board members and holders of the senior regulatory roles. Several areas would be worthy of consideration:
Finally, remember that it is a common expectation of regulators that they would want to be aware of a serious or material breach. As the FCA’s Principle 11 reminds us: “a firm must deal with its regulators in an open and cooperative way…”. Self-reporting and a cooperative approach may even help prevent a problem becoming bigger than it should.