3 Lines of Defence Consulting Briefing Paper
Key Issues Facing the Private Equity and Venture Capital Sector October 2020
Contents Introduction
Page 2
Market Abuse Prevention
Page 3
Anti-Money Laundering
Page 5
Senior Management and Culture
Page 7
Covid-19 and the New Normal
Page 9
Brexit
Page 12
1
Introduction COVID-19 is here and Brexit is coming, continuing to put the private equity and venture capital sector under great pressure. To operate, survive and thrive there are new working practices and a need to be flexible. There is increased cyber activity, resulting in increasing operational risks and greater scrutiny from investors and regulators. This Briefing Paper is intended to highlight some of the key areas to think about over the next 6 to 12 months, based on the current environment and regulatory focus. At the start of the COVID-19 pandemic in March 2020, 3 Lines of Defence Consulting issued a White Paper, “Financial Markets Operations Response to COVID-19: Best Practices for Working from Home�, in conjunction with A-Team Insight. This Briefing Paper reconsiders COVID-19 with the developing requirements, along with the sound practical steps to be taken and other key areas of business focus. Business life and the regulatory requirements of financial services firms have not been put on hold because of COVID-19. In fact, quite the opposite as the UK regulator is keen that services to consumers should be maintained, and not be penalised in any way in terms of cost of service. Furthermore, the UK regulator is keen to understand the financial impact on regulated firms of COVID-19. This Briefing Paper considers how private equity and venture capital firms should respond to the current regulatory hot topics of market abuse prevention, AML, the Senior Management requirements and concludes with COVID-19 and BREXIT. 3LDC provides focussed specialist advisory and support services for financial services firms including those in the private equity and venture capital sector. It draws on extensive hands-on experience within the team to support clients through COVID-19 and beyond. 3LDC is complimented by its sister company, 4 Lines of Defence, which provides software and tools to enable clients to empower performance and maintain information security. Our team is formed from a partnership of former C-Suite heads of function, senior managers and subject matter experts from across the financial services industry and legal sector. Our senior team members all have over 25 years’ experience, within their field to draw on. In their previous roles they have encountered and responded to the myriad of changes, meeting the challenges that the industry has gone through over recent times. Read on to find out how we can support private equity and venture capital firms with their compliance, regulatory and information security requirements. 2
Market Abuse Prevention Market abuse, conduct and culture continue to be a key focus for the FCA. This is highlighted in Market Watch 63, published in May 2020, which sets out some of the FCAs expectations of firms adopting new working from home arrangements during the COVID-19 pandemic. Firms are expected to continue to meet all their regulatory obligations including, as specifically emphasised, those relating to preventing market abuse. The FCA highlights that firms should review and update their market abuse risk assessments in response to any identified heightened or additional risks arising from these new working arrangements.
Performing a Market Abuse Risk Assessment is a vital part of every private equity firm’s Market Abuse Prevention Toolbox. At 3LDC, we bring together senior compliance, risk, front office and operational experts to work with clients to build the optimal Market Abuse Prevention Toolbox, which includes: 1. Establishing, enhancing and quantifying the company’s appetite for risk A zero appetite towards risk is unrealistic and not appropriate, as risk is taken on as soon as firms start to operate a business. We help to quantify an acceptable level of potential risk of market abuse for the firm to enable it to understand, mitigate and manage that risk. 2. Conducting a risk assessment Risk assessment forms part of a firm’s Enterprise Risk Management System and is a key element of the Market Abuse Prevention Toolbox. The firm’s risk assessment is key to assessing where the market abuse and other misconduct risks may occur in the organisation. Companies will have different inherent risks and different tolerance levels for risk according to their business activities. A risk assessment should be owned by the whole business and requires engagement with the board and the leadership team, front, middle and back offices. We facilitate that essential engagement and ownership across the business. Once a firm’s appetite for risk has been ascertained and the risk assessment has been completed, we can calculate the residual risk and an understanding of what that means. The board and leadership team can ensure the risk appetite and the residual risk align. 3
3. Policies and procedures Robust governance requires firms to have clear structures in place with defined roles and responsibilities. The right policies and procedures inform staff of their regulatory requirements and obligations and can be supported with generic and/or bespoke training. 4. Surveillance and monitoring systems Does the firm have an automated surveillance system, employ manual monitoring methods or, as with the majority of firms, use a combination of both? Is a company’s monitoring and surveillance systems looking for the right types of behaviours and is it effective in doing so? Is the correct data feeding the monitoring and surveillance systems? Are the thresholds and parameters on the automated surveillance system set correctly? How are alerts categorised and how does the firm measure the success of surveillance and monitoring systems? Does the firm adjust for new threats arising from COVID-19? Important questions that require answers. We can help address these questions. 5) Reporting of suspicious activity, near misses and responses Is the framework established for assessing monitoring and surveillance “hits” appropriate and effective? Moving from a sea of alerts, through false positives and near misses, to identifying reportable suspicions is not easy. Firms need the right monitoring and surveillance tools, parameters, guidance, awareness and people involved. We can help clients ensure that the framework is integrated, involving compliance and the wider business. We can help clients learn from near misses, refining their framework and business model. 6) Management Information Strong and insightful management information is essential to managing a firm’s business in a controlled manner, enabling senior management to meet their responsibilities. We can ensure the firm’s management information is more than just data. 3LDC provides firms with a framework to identify, mitigate and manage the risks presented by market abuse, bringing experienced practitioners together to provide the expertise needed for private equity managers, venture capital firms and asset managers to protect their business.
4
Anti-Money Laundering
There is a long-standing regulatory requirement to Arehave the thresholds effective procedures and parameters in place on the to automated detect, survei prevent and report suspicions of money laundering. categorised The regulatory and how requirements does the firmhave measure expanded the success of su over time to encompass sanctions and anti-terrorism the financing firm adjust within for its new broad threats scope. arising from COVID-19? Impo The UK and EU’s Money Laundering Regulations are updated regularly to take accountcan of new help address these qu financial crime threats. As the AML requirements evolve it is essential that firms implement and maintain sound practice policies, procedures and controls to mitigate/manage the risk of involvement in money laundering activity. Remember you can never have a ZERO RISK scenario, if you are running a business. FCA Thematic Review The FCA is currently undertaking a thematic review into assessing firms and their anti-money laundering activities. We understand that they have found that many firms are still not meeting the standards required or following the guidance appropriately. We recommend that you review your current arrangements to ensure that they continue to meet regulatory expectations. Have you factored in the latest threats? All firms should ensure they have factored in and considered the latest threats. These include (i) using Cryptoassets and exchanges, (ii) countering money laundering through the use of dual use goods and (iii) the risk impacts of COVID-19 on handling clients/processing transactions whilst working from home. A common issue identified is that the firms do not have automated monitoring systems which are effective, in terms of their business model and/or new threats. Firms must ensure that they are aware of and using the industry guidance available, to help operate a robust framework that matches their activity profile. You may be required to appoint a Skilled Person Firms that are found to have inadequate controls in place will be instructed by the FCA to remediate. This may also include being required to appoint a Skilled Person to report on their activities, under Section 166 of the Financial Services & Markets Act. This is an expensive exercise in terms of the Skilled Persons fees, the management time, reputation and personal liability for the board, or appointed Senior Manager responsible for AML. Plus, this is all in addition to the actual remedial costs of implementing the required enhancements. It is much more effective to ensure you have a robust framework already.
Review Policies and Controls When formulating a remediation plan firms will need to consider reviewing client folders and profiles, policies and procedures, controls and automated monitoring systems, to ensure they can evidence appropriate due diligence and on-going assessment. 5
This is where, as an independent expert, we can provideAre invaluable the thresholds support.and 3LDC parameters brings together on the automated a team survei of senior level AML and financial crime prevention experts, categorised providing and how clients does with theafirm range measure of services the success of su including: the firm adjust for new threats arising from COVID-19? Impo can help address these qu Status - Running a health check to determine your current status Gaps - Identifying gaps and areas for improvement Remediation - Designing a remediation plan (as appropriate) Clients - Reviewing client files & profiles Process & Controls - Enhancing current AML processes and controls Personal / Confidential Data – Ensuring KYC data is obtained, used and kept securely. Think GDPR. AML Monitoring – Helping tailor automated monitoring systems so they are effective Awareness – Tailored training and updating firms on latest guidance and regulations Policy - Supporting clients to rewrite and update policies as required Pre FCA Review – Supporting management in preparing for FCA reviews FCA imposed Section 166 Reviews - Supporting firms through the S166 process and preparing them adequately for skilled persons interviews Skilled Persons – Helping management and providing support services from within the firm to appointed Skilled Persons Through the delivery of the above services, 3LDC provides advice and support to enable firms to assess and enhance their financial crime prevention frameworks.
Useful Resources The Joint Money Laundering Steering Group – Prevention of money laundering/combating terrorist financing 2020 Revised Version. https://secureservercdn.net/160.153.138.163/a3a.8f7.myftpupload.com/wpcontent/uploads/2020/06/JMLS GGuidance_Part-I-_June-2020.pdf FCA – Financial crime: a guide for firms - Part 1 https://www.handbook.fca.org.uk/handbook/document/fc/FC1_FCA_20160703.pdf?date=2018-12-12 FCA – Financial crime: a guide for firms – Part 2 https://www.handbook.fca.org.uk/handbook/document/FC2_FCA_20160307.pdf?date=2018-12-12 The Financial crime guides referred to above, have been retired from the FCA Handbook, however, despite this, we believe that they contain useful information particularly on best practice versus bad practice.
6
Senior Management and Culture
The Senior Managers and Certification Regime (SMCR) originally Are the thresholds put in place and forparameters banks, hason now thecome automated survei into effect for other financial service firms from December categorised 2019. It’sand well how publicised does theaim firmismeasure to embed the success of su good practice, ensuring ethics and good governance is more thethan firmaadjust tick box forexercise. new threats arising from COVID-19? Impo can help address these qu For managers who fit into the smaller and medium sized firm categories, this is still new in terms of operating under this regulatory regime. They may have still yet to redesign their underlying processes to ensure that the fundamentals of SMCR are adhered to throughout the business. Of course, COVID-19 has not made this easy and SMCR may well have been put to one side for the moment. We anticipate that when the COVID-19 pandemic is over, the FCA will increase their scrutiny of firms’ culture and governance throughout the period. The FCA will, especially if issues have arisen give consideration as to how Senior Management performed over this crisis and whether it can demonstrate that this was in a responsible manner. 3LDC supports firms and the individuals appointed as Senior Managers (including those authorised under the FCA’s Senior Manager Regime), in not only meeting their responsibilities around SMCR but in ensuring it is embedded throughout the organisation. We have listed below some of the key areas and tools which have proved themselves to be very effective in ensuring sound practices are operated, when working with clients to assess and enhance their governance frameworks. Our services include: 1. Healthcheck A healthcheck assessment of the current policies and processes to ascertain if they are working and how the culture and governance formally flows through the organisation. 2. Risk Assessment The risk assessment will evaluate the key areas of risk and the controls that the firm has established, understanding if these are effective and working. We will help the firm to identify gaps and develop a plan for remediation. 3. Management Information We assess the management information that is produced, to ascertain whether it is clear, effective and helps the senior management. Too often it is just data rather than management information providing valuable insight. You need the right metrics and parameters. 4. Training Our team works with firms across different areas of the business, using our cross-organisational skill sets, gained in senior and C level positions. These encompass control functions, operations, front office, HR, and finance. We run practitioner-led training and mentoring for senior individuals to help them understand and 7 adapt to the requirements of the SMCR.
5. Non-Executive Directors
Are the thresholds and parameters on the automated survei categorised and howtodoes firm measure the success of su 3 Lines of Defence Consulting can support NEDs with training and mentoring helpthe them build awareness the We firmcan adjust new threats arising COVID-19? Impo of conduct risk, governance and how the businesses operate. alsofor identify suitable NEDsfrom for firms if can help address these qu required.
6. Independent Reviews Our team acts as an independent sounding board for many clients, supporting them with whistleblowing, investigations and challenging compliance and other teams. We have for example independently audited the compliance, audit and risk functions, reviewing the first, second and third lines of defence. Thus providing reassurance and protecting the board and senior managers. Our IT security experts can assess firms’ cybersecurity defences, helping to identify risks in operations and processes, and outlining suitable mitigations.
Through the delivery of the above services, 3LDC provides advice and support to enable firms to assess and enhance their governance frameworks.
8
COVID-19 and the New Normal
Are the thresholds andnow parameters on the automated survei We recognise that the categorised and how does the/ firm measure the success of su Distributed Remote Working the firm adjust formodel new threats arising from COVID-19? Impo (working from home) help address these qu has become thecan new normal and will be with us for some time to come – for many, well into next year. Although the individual circumstances may vary, it will still have an impact.
A recent AIMA survey indicated that 50% of firms were not looking to return to the office until November 2020 and 20% were looking at January 2021. Then there is the big question in everyone’s mind as to whether this means everyone will be back in the office or a move to a partially distributed / remote working model. This change of the status quo brings with it a new set of challenges and changes to the way we operate. There are also opportunities for business model and work practice changes going forward. Remember, as regulated entities, the FCA and PRA’s expectation of firms and their governing bodies has not diminished. They are currently tolerant but are definitely not turning a blind eye to the obligations under SMCR.
Beyond BCP It started as BCP and maybe that emergency team leading the response has now been “stood down”. You had to think on your feet, as the plan did not really exist to deal with the global pandemic. Everything appears to be working to the best of your abilities, especially given the scale of response required. However now is a good point for the senior management to take a step back and look at the bigger picture. What are our next steps, where do we go from here and how do we get there safely? Now the focus needs to be more strategic shifting to establish processes, control and communications. Communication is Key Good communication remains essential, obvious as it sounds, this can start to be overlooked when responding to a long-term change like this. The communications message needs to be driven both externally with clients/investors and your internal teams. Not forgetting auditors and all those other important connected parties. We have seen this addressed internally with the establishment of regular virtual business updates and team building business virtual drinks, as part of the standard new norm for the business operating model. Next steps beyond the emails and virtual meetings may include webinars, podcasts and using other social mediums.
9
Are the thresholds and parameters on the automated survei Systems and Infrastructure andinevitable how does the firm measure the success of su Further enhancing your IT platforms and structure willcategorised be an almost requirement, if you firm adjust for newperspective, threats arising Impo have not done so already. Not only from the internal the efficiency and control butfrom justCOVID-19? as can help address these qu important is the fact that clients now expect you to provide a more efficient service. Information security and cyber-crime risk in this distributed world has increased. So, your model of primarily “protecting assets inside the building� has been superseded by a need to also cover all those new remote laptops and home PCs (some of which may be owned by the employee rather than the firm). We are now seeing many firms starting to look at smart systems to protect their network whilst everyone works remotely. You need to ensure everyone can access systems safely (wrapping protection, detection and response into a single control), to make life simpler. Document Everything Policies, controls and procedures now need to be amended to reflect the new working regime. This will help staff protect against errors and comply with regulatory requirements. Remember, the key changes need to be documented. The changes need to be implemented consistently and, importantly, they need to be communicated both internally and externally. Contracts It is also time to look at your legal contracts, relationships with key outsourcing suppliers/ vendors and clients (including investors). The new normal may have changed how you want to be committed and/or the commitments the parties make to you. Blanket force majeure clauses might not be so appealing anymore. Also do your new business model and/or working practices require changes to be made to the service? Were you happy with the service you received and are continuing to receive? You need to know where they stand, as it impacts on your delivery capacity. Post-Lockdown Looking forward into the post-lockdown world perhaps there is the opportunity to make some changes to how we all operate. The distributed / remote working model has proved it is sustainable beyond a short BCP period. Employees have in many cases so far, embraced it positively and processes have continued to run. Maybe adopt some of this into the new norm. Allowing staff to rotate from working at home to being in the physical office can enhance their work time experience. Looking at reducing office space can be cost effective now. Maybe tectonic changes are some way off, but small changes may make a difference going forward. Increased flexibility can make for a happier workforce, and remember a happy workforce is a successful workforce. In conclusion, you should be constantly monitoring the situation and reacting accordingly.
10
You need to get the best out of your BCP and continuous deployment. Do it now rather than survei Areoperational the thresholds and parameters on the automated struggle later. Investors, clients, service providers and others will beand judging you on so categorised how does theyour firmperformance, measure the success of su make the best of a challenging situation. the firm adjust for new threats arising from COVID-19? Impo
can help address these qu What can 3LDC and its sister company 4LOD, do to help you to adapt to the new normal: Review and health check IT governance and structures Review information security, cyber risk and GDPR frameworks Review control framework, to ensure fit for purpose •Provide IT software tools to empower staff and manage end point risk – such as PowerPDF, GalaxKey C-HUB AiRE Advise and support strategic initiatives, including support to manage and deliver on the regulatory implications Assess key outsourced suppliers 3LDC and 4 Lines of Defence can help you adapt and thrive in the New Normal environment, assessing the risks and implementing enhancements.
11
BREXIT
BREXIT looks like it may go through with no deal. The UK will become a “third country”, and UK trading Are the andproject parameters onbecause the automated survei venues will become third country trading venues. Many firms putthresholds their BREXIT on hold of and how does theappears firm measure the success of su COVID-19, but now is the time to start urgently dusting itcategorised off again. At present, it still likely that the firm adjust for new the UK will be granted long term equivalence and you should factor this into yourthreats plans. arising from COVID-19? Impo can help address these qu
Outward Looking It is highly likely that if you have clients based in “mainland Europe”, you may in various sectors such as asset management, be able to take advantage of reinvigorated temporary laws and regulations, designed originally to handle the dislocation of a hard BREXIT. Several EU Member States have legislated to allow UK firms to continue temporarily to provide certain services in their jurisdiction following a no-deal Brexit. There is therefore uncertainty around how some of these provisions will be applied. You need to start planning and/or implementing your longer term model. Inward Looking If you are coming into the UK to do business, the temporary permissions regime ends at the end of 2020, and you may have to become authorised in some form to continue to provide financial services into the UK, which will encompass appropriate and proportionate governance and control frameworks. Outsource and share the load All of this is happening while the financial sector is coping with COVID-19, with human and financial resources are stretched. 3LDC can help take some of the load off your shoulder by providing a combination of project management and subject matter expert support. This can be through advisory services or the provision of hands on resource over this period. We can work remotely or work on site 12 with you when lockdown is lifted.
67 Grosvenor Street Mayfair London W1K 3JN info@3ldc.com info:4LOD.co.uk Tel: 020 7129 1270