Regulations, technology, and the many points at which they overlap were the major talking points at the International Transfer Agency Summit in Luxembourg this year.
In one session, speakers suggested that transfer agents need to start paying more attention to the regulatory challenges faced by the rest of the industry.
When asked which areas of business are likely to be affected by regulation in the next few months, William Gilson, an independent director, suggested that, actually, “the transfer agency world has had it relatively easy in the last few years”.
However, Gilson pointed specifically to the issue of data regulation, saying this is “fairly critical” for transfer agents as “I don’t think that the transfer agency world is set up to forget a client”.
The audience was warned that, although these regulatory issues generally affect asset managers more, those asset managers are currently setting up teams to tackle the challenges, and those teams are in the process of drawing up due diligence questionnaires for transfer agents.
“You’re going to be inundated,” Gilson told delegates.
He advised attendees to be prepared for this, and to have the required information ready in good time. He warned that transfer agents will soon have questions to answer, saying: “It’s up to you whether you want to do it efficiently or not.”
Nirvana Farhadi, CEO of FFS-RegTech Services agreed that data requirements will affect every business line and will have “a key impact on the industry”, suggesting that firms need to consider where, and who, they are going to get their data from.
These requirements are not going to subside, she said. Firms should look at what they already have in place and use technology to help build sufficient and robust infrastructure that can reduce costs and increase efficiency.
When asked whether the industry’s efforts to comply with regulation—gathering data, working out how new systems work and the significant costs involved—will be worthwhile, Florian van Megan, a retail markets specialist at the Investment Association, conceded that he is “in two minds”, saying: “The intention was to improve investor protection—who can argue with that?”
However, he added that what the regulators came up with “is a game changer”. Until the final effects of the regulation are clear, he said, it will be difficult to say whether the effort was worthwhile or not. In the investment space, at least, the effects will take a while to become apparent.
Later, William Long, a partner at law firm Sidley Austen, honed in on the increasing importance of cyber security, warning that transfer agents must be aware of, and reactive to, the risk. He told attendees that every business represented in the room “will be affected by a cyber security incident”.
Coping with the fallout from a cyber security attack “can be extremely painful”, resulting in job losses, a direct impact on profits, reputational damage, and a subsequent dip in share prices.
When the EU General Data Protection Regulation comes into effect next year, a cyber breach could also lead to “mouth-wateringly large” fines of up to 4 percent of annual global turnover, something Long called a deliberately “persuasive figure”.
The new regulation mandates a more controlled process around gaining consent to use client data, and introduces a right to object to data profiling and the right to erasure, meaning clients can, in some cases, request data to be deleted. It also introduces the potential for individuals to file damages claims in the case of a data breach, even for non-financial loss.
In the financial services space, Long said, firms will have to take a “privacy-by-design, privacy-by-default” approach to data, only collecting the minimum amount and building privacy into processes and procedures in an “antithesis to the world of big data”.
The new rules also mean that in cases where a vendor processes data on behalf of an asset manager, “service agreements will have to be amended”.
To manage cyber risk and the impending new regulatory requirements, Long said risk mitigation is key. Firms should determine their risk profiles and get procedures and policies in place to prepare for a data breach, clarifying what the “crown jewels” are, where they are, and who is looking after them. “Frankly,” Long asked, “Are they up to the job?”
He added that these initiatives must be led from the top of a business, stating that the threat of a cyber breach affects the whole business, and should be seen as doing so. He said: “This is not an IT issue … this is a board issue.”
A later panel session focused on UCITS V. Although this has already been implemented, there are still issues that local regulators need to iron out.
Isabelle Lebbe, partner at Arendt & Medernach, noted that, globally, “the clients we advise are now compliant with the new regime, with a few exceptions”.
However, some aspects of the regulation remain unclear, she said, and these are being addressed in different ways because “we don’t have sufficient guidance”.
Under UCITS V, depositories have to verify their instructions with the laws, regulation and fund rules, and this “proves to be difficult”, Lebbe said. She questioned how far the depository should be expected to go in these cases—for Sharia-compliant funds, for example, it is unclear whether a depository is responsible for verifying compliance with Shaira rules.
Lebbe suggested that funds and depositories should “clarify this in the depository document” in order to avoid further confusion.
Panel moderator Andrea Mornato, of Invesco Asset Management, addressed the issue of remuneration under UCITS V, suggesting that there are challenges with local regulators, where some have adopted clear guidelines and others have not.
He also pointed to other regimes, such as the second Markets in Financial Instruments Directive and the Alternative Investment Fund Managers Directive, that attempt to address the same issue but from different angles, leading to inconsistencies.
Lebbe noted that, for remuneration, UCITS V includes a proportionality rule, allowing institutions to adapt the guidelines to meet their own situations. While some management companies have been quite risk averse in their implementation, others have stretched the rules, sticking to their previous positions as far as possible.
According to Lebbe, Luxembourg regulator the CSSF received wildly varying proposals for the implementation of the rules, but so far “we have seen no reaction at all”.
She argued that as long as there is not a clear ruling, there will not be a strict expectation of compliance. However, one audience member suggested that the regulator is purposely leaving rules open to interpretation so that, when an issue arises, it can “nail” those companies with more relaxed versions.
The audience member went on to say that management companies are still using these freedoms “for competitive advantage”, calling this “a fundamental problem in the industry”.
Another major regulatory gripe emerged in the management of know-your-client (KYC) and anti-money laundering (AML) requirements. Gerard Green, Head of EMEA AML at Invesco Asset Management, noted that public outcry in recent times on tax avoidance schemes calls for greater transparency in KYC and beneficial ownership in the financial services industry.
While the EU's Fourth AML Directive allows for appointed intermediaries to perform due diligence on the underlying investor, Green noted that omnibus accounts may one day become obsolete with the advent of fintech and blockchain. This will however require an industry overhaul in technology.
“We need to have these systems to allow that transparency,” he said, "while remaining within the realms of data protection laws and allowing for better sharing and centralisation of KYC data."
Stephen Smyth of J.P. Morgan suggested that depositories need to have a view of everything an asset manager does, and everything they delegate out. He said: “Regulation, automation and fintech go hand in hand for me.”
Green added that, currently, data protection and KYC and AML rules can be conflicting, noting that distributors will not simply hand over underlying investors’ data when they’re asked for it. However, he argued that if an institution requires a client’s data for AML and KYC purposes, distributors should provide it, finding a way to protect investors “without conflicting”.
KYC requirements were deemed a major challenge for clients opening accounts with transfer agents, although the only way to manage this challenge may be through a common solution on which the industry cannot seem to agree.
In a lively discussion, an audience member called KYC the biggest challenge in working with transfer agents, and questioned why there is not more automation in this area.
BlackRock’s Graeme Whyte conceded: “It is a big challenge, and if we could solve it it would be a real win.”
However, Vanessa Roger Gruneklee of AXA Investment Managers, representing the distribution side, said this will only be possible with “one common solution”. If there are too many providers, “we won’t solve the problem and it will be a nightmare for the distributor”.
A third panellist, SWIFT’s Tanja Van Sterthem, highlighted the SWIFT KYC Registry platform, which is now also open to custodians and fund distributors.
On SWIFT’s platform, institutions contribute an agreed ‘baseline’ set of data and documentation for validation by SWIFT, which the contributors can then share with their counterparties.
However, another audience member responded with the argument that SWIFT’s solution remains just one of many competing products. While the concept is good, adoption is still an issue, he said, adding in frustrated tones: “Nobody can agree which is the right solution”.