In this edition we look at an initiative to promote 'sustainability' among asset managers, outsourcing to Cloud service providers and the European Banking Authority's guidelines for internal and external information and communication technology (ICT) and security risk management.

Commission drafts tip of a 'sustainability' iceberg for asset managers

On 8 June the European Commission, the nearest thing that the EU has to an executive branch, drafted up some 'level 2' measures that are destined (through "delegated acts," which are akin to delegated legislation in the UK) to incorporate considerations about 'sustainability' into the EU's UCITS (undertakings for collective investments in transferable securities) Directive, the Alternative Investment Fund Managers' Directive or AIFMD and the second Markets in Financial Instruments Directive or MiFID II.

For MiFID firms, the draft 'pastes' references to "sustainability factors" (an undefined term) and the preferences of clients about those factors into firms' arrangements for product governance, conflicts of interest and advice about investments (both investment selection and sustainability reports).

For AIFMs and UCITS managers, the drafts paste references to "sustainability risks" (environmental, social or governance-related events that might lower the value of investments) into regulations that cover investment-related checks or "due diligence," the management of conflicts of interest, risk management, general organising arrangements and arrangements pertaining to senior managers, who will be responsible for the integration of sustainability risks in the way the AIFMs or UCITS managers handle investment, valuation, compliance, risks and remuneration.

However, the substance of the 'sustainability' drafting execise is contained in a different regulation, published last November, on sustainability-related disclosures in the financial services sector (SFDR) which could introduce new policy and disclosure requirements for asset managers in or after March next year. The tail-end of the post-Brexit trade negotiations might interfere with these plans.

HM Government has said that the SFDR and associated EU law will be 'onshored' and that it is keen to match the ambition of the EU's Sustainable Finance Action Plan, of which the SFDR is a part. However, the articles of the SFDR that call for "level 2 implementing measures" have been omitted on purpose from the UK's latest draft regulation. This creates the possibility of divergence between the UK and the EU, but the direction of travel towards more disclosure is clear in both cases.

Whatever happens, all fund managers will have to consider and disclose their arrangements for managing the effect of sustainability risks on their investments. I interpret that as the risk of loss to the investor of unsustainable investment practices. Managers may choose, on a "comply or explain basis," whether to develop and disclose policies that measure the damage that their investments do to environmental, social, employee-related, human-rights-related, anti-corruption and anti-bribery "sustainability factors." In other words, they should disclose the harm that unsustainable investment practices are causing.

How far should, or how far will, fund managers be expected to wade into the "sustainability" pool, with all its potential obligations to disclose various things to regulators and investors? A lot may depend on their target markets and the investment strategies that they say that they are deploying. Many firms might be put off by the obligations to make disclosures that the EU is suggesting here in draft. The text of the three drafts point out no less than 30 mandatory "adverse impact disclosures," including:

• energy consumption per GWh per € million of portfolio companies expressed as a weighted average;
• the share of investments with operational sites owned, leased, managed, or adjacent to, areas of high "biodiversity value";
• the weighted average weight in metric tons of water emissions generated by investee companies per million € invested;
• the share of investee companies without policies that protect telltales and informants; and
• the number of convictions and the quantum of fines for breaking anti-corruption and anti-bribery laws by investee companies.

The EU wants to compel all fund managers (or managers in groups) with more than 500 employees to make these detailed disclosures by 30 June next year. Its main aim here might be to shame large asset managers into divulging the damage that they are doing rather than emphasising anything positive.

Dealing and managing for sustainability

The FCA and the Prudential Regulation Authority have joined forces to set up the Climate Financial Risk Forum (CFRF) to advance the financial sector's responses to financial risks that relate to global warming. On 29 June it published a guide "written by industry for industry to help firms approach and address climate-related financial risks."

The guide groups such risks into physical risks that stem from global warming (weather-related events and longer-term shifts in the climate that might affect the availability and price of property and insurance premia etc) and "transition risks towards a net-zero-carbon economy" (things that governments do about global warming, legal interpretations, things that could lead to litigation against or stricter regulation for carbon-intensive sectors and even companies that fail to deal with global warming).

The guide suggests that firms should assign responsibility for climate risk to an existing senior management function or SMF, embed climate-related financial risk into their risk management and 'governance' arrangements, gauge their appetites for risk over a 30-year period, use 'scenarios' to gain a better understanding of the subject, tell the regulators and/or clients about the process by which they have spotted and assessed financial risks to do with global warming and the effect of their own portfolios on the climate.

It is a good idea for financial firms to consider the guide together with the EU's proposals outlined above.

The guide obviously draws on the thoughts of such large asset managers as BlackRock, Invesco and Schroders. Although the summary claims that the detailed chapters take a proportionate approach, the chapter on disclosure sits on the green fence: "While smaller firms may not have the resources to make disclosures as extensive as larger firms...some disclosure is still desirable." This is rather vague.

As regards a 30-year risk appetite, this might not square with firms' current approaches to long-term investment that use 5-10-year time-horizons. Is there room for 30-year-long investment strategies alongside shorter-term ones? How will the managers of investments in developing countries deal with these risks? At least the FCA is only considering global warming (or "climate change" as it euphemistically puts it), which is narrower than the "sustainability factors" that the EU wants firms to phase in by 2022.

Outsourcing to Cloud service providers

The European Securities and Markets Authority has issued guidelines on this subject for firms. There are nine, on the following subjects.

• Governance, oversight and documents.
• Pre-outsourcing analysis and "due diligence."
• Contractual requirements.
• Information security.
• Exit strategies.
• Access and audit rights.
• Sub-outsourcing.
• Written notifications to government bodies.
• Supervision of Cloud outsourcing arrangements.

The FCA has to notify ESMA shortly of its intention to comply or not to comply with the guidelines. They are to apply to all Cloud outsourcing arrangements that firms make from 30 June 2021 onwards.

The ESMA guidelines echo an FCA paper entitled "FG 16/5 - Guidance for firms outsourcing to the 'cloud' and other third-party IT services" and some rules in the SYSC 8 (systems and controls) part of the rulebook. ESMA goes slightly further by calling for an up-to-date register of information at every firm in which the compliance department logs the firm's outsourcing arrangements, summaries of whether they are "critical or non-critical," precise performance targets, the firm's Cloud service provider's (CSP's) obligations to oversee services that it has sub-contracted and prescriptive statements about the information that the firm should include in its notification to the FCA about outsourcing arrangements - e.g. the date of the most recent risk assessment or audit along with a summary of the results, or the names of the people who approved the outsourcing arrangements.

ESMA expects firms to review and amend their existing Cloud outsourcing arrangements to take its guidelines into account by 31 December 2022, or else to own up to their national regulators.

ICT and security risk management standards

On 25 June the FCA endorsed the European Banking Authority's guidelines for internal and external information and communication technology (ICT) and security risk management, drafted in response to a surge in these risks that has stemmed from digitisation and the thickening web of connections between financial institutions and so-called "third parties." The EBA calls for the following things.

• Governance and strategy. The management and offsetting of risks through sound internal governance and internal controls with clear responsibilities, including those of the management body. An ICT strategy, the management and offsetting of risks through independent and objective control, segregated from ICT operational processes and an independent internal audit function. Effective risk-mitigating measures for outsourcing situations or the use of third-party providers to be set out in contracts and service level agreements.
• ICT and security risk and management. Firms ought to keep up-to-date inventories of their business functions, supporting processes and "information assets" and should classify them in terms of something the FCA calls 'criticality.'
• Information security. Measures to include an information security policy which tests the measures as well as implementing them. Training for all staff and contractors.
• ICT operations management. Principles to govern the way in which firms should manage their ICT operations, including 'requirements' to improve their efficiency. Logging and monitoring procedures for 'critical' ICT operations. Firms should keep up-to-date inventories of their ICT assets while monitoring and managing the life cycles thereof. Back-up plans and procedures for recovery with processes that manage incidents and problems.
• ICT project change management. Includes the acquisition, development and maintenance of ICT systems and services. Changes to production systems to be assessed, tested, approved and implemented in a controlled manner, with somebody governing and overseeing ICT projects. Careful monitoring of "applications development", from the test phase to the production phase, is needed.
• Business continuity. Response and recovery plans. Internal and external 'stakeholders' to be informed in a timely manner. ICT business continuity management processes to be an integral part of the firm's business continuity management process.

The FCA expects firms to make every effort to comply with the EBA guidelines which have now into force. It is hard to see how many smaller and medium-sized asset managers can relate to the formulaic structure of the guidelines, but they should hold to the basic tenets. Firms should benchmark their arrangements and apply the principle of proportionality that takes into account their respective sizes, complexities and risks.

The FCA is asking the public to evaluate new proposals for operational resilience and expects to finalise them as rules in the first quarter of 2021. These are to apply to asset managers with £50 billion AuM or more.

Guidelines for MiFID II requirements for compliance functions

ESMA has published updated final guidelines regarding the MiFID II compliance function. These guidelines replace the ESMA guidelines on the same topic that ESMA issued in 2012 and include updates. It addresses its guidelines to investment firms, credit institutions and AIFMs when they provide "MiFID top-up" investment services.

There are 12 guidelines that cover such topics as compliance risk assessment, risk-based monitoring, reporting, the compliance function's job of advising and helping people, resources and outsourcing. Firms ought to benchmark their arrangements against this latest list.

* Jonathan Wilson can be reached on +44 (0)20 3146 1869 or at jon@elliswilson.co.uk