Transcription
Mutual Fund Directors ForumBoard Oversight of Third Party Vendors:Building a Practical Oversight ProcessMay 31, 2017Molly MoynihanPerkins Coie LLP
Introduction: The Whats and WhysWhat is Vendor Risk Management? A systematic approach for identifying anddecreasing potential business uncertainties andlegal liabilities arising from third-party vendors.Why does it matter? Mutual funds rely on a myriad of third-parties toperform vital services from pricing to trading to IThosting. These third-party vendors can createvulnerabilities and service issues.2 Perkins Coie LLP PerkinsCoie.com
Understanding Vendor Risk ManagementVendor Risk Management (VRM) and Contracting isa profession, with its own sets of professionals andstandards, much like internal audit.Depending on its size, a complex may have asophisticated program for VRM or it may have noprogram at all.Nonetheless, big or small, the risks are the sameand the components for managing are the same.3 Perkins Coie LLP PerkinsCoie.com
RisksThird-Party Vendors, like all service providers, canintroduce a variety of risks into the operations of amutual fund. Market Risk—e.g., Trading systems Operations Risk—e.g., Business continuity Regulatory Risk—e.g., Pricing services Cyber and Data Privacy—e.g. IT providers Reputational—All of the Above4 Perkins Coie LLP PerkinsCoie.com
Recent ExamplesAll-Night Push After Glitch Hit BNY MellonSeptember 2015At the height of the market volatility on Aug. 24, executives at Bank of New YorkMellon Corp. BK 0.06% got the news they wanted to hear: A glitch affectingthe system that keeps more than a thousand mutual funds running was likely tobe fixed soon. BNY Mellon relayed the news to some clients.But the problem was far from over.By nightfall, BNY Mellon vendor SunGard Systems Inc. hadn’t been able to repairproblems with its system, which allows money managers to give investors thevalues of their holdings. Thus began a weeklong crisis in one of the most basicbut crucial sections of Wall Street’s infrastructure.From Wall Street Journal5 Perkins Coie LLP PerkinsCoie.com
Recent ExamplesBloomberg Terminals Go Down GloballyApril 2015Bloomberg LP was hit by a massive computer-networkoutage Friday, forcing its terminals out of action for hoursand leading to major disruptions for traders around the worldwho rely heavily on the machines.From Wall Street Journal6 Perkins Coie LLP PerkinsCoie.com
Recent ExamplesNSA officials worried about the day its potenthacking tool would get loose. Then it did.May 2017When the National Security Agency began using a new hacking toolcalled EternalBlue, those entrusted with deploying it marveled at thewidespread havoc it could wreak if it ever got loose. . for more thanfive years, the NSA kept using it — through a time period that has seenseveral serious security breaches — and now the officials’ worst fearshave been realized. The malicious code at the heart of the WannaCryvirus that hit computer systems globally late last week was apparentlystolen from the NSA .Washington Post7 Perkins Coie LLP PerkinsCoie.com
Role of the Mutual Fund BoardMutual Fund Directors ForumRole of the Mutual Fund Director in the Oversight of the RiskManagement Function . [T]he goal of effective risk management is not to eliminate risk.Instead, investment advisers and other key service providers developsystems and processes designed to identify risks and manage thoserisks appropriately in light of the information available.While boards of directors of mutual funds (“boards” or “fund boards”) arenot directly responsible for risk management of the funds they oversee,directors should be aware of their fund’s adviser’s and key serviceproviders’ risk frameworks, policies, procedures, and systems inplace for identifying, analyzing, and managing risks.8 Perkins Coie LLP PerkinsCoie.com
Role of the Mutual Fund BoardIt is appropriate for a Board to seek reporting from Management withrespect to Vendor Risk Management systems in place for key third partyservice providers. This is in addition to the Board’s oversight of riskmanagement at its primary service providers, i.e. Adviser, Transfer Agent,Distributor, Administrator and Custodian.The funds generally do not contract directly with third-party serviceproviders.Focus should be on understanding: Risk Ranking Contracting and Onboarding Vendor Risk Assessment and Oversight Program Significant Events9 Perkins Coie LLP PerkinsCoie.com
Risk RankingVRM programs should begin with risk ranking—various terminology is used, but typically vendorsare ranked by Tiers. Important to ensure thatbusiness units are risk-ranking all vendors.10 Perkins Coie LLP PerkinsCoie.com
Risk RankingA failure at a Tier 1 Vendor presents an immediate risk ofmaterial harm to fund operations. Board accordingly, shouldfocus on Tier 1 vendors and oversight processes in placewith respect to onboarding, contracting and oversight.Examples of Tier 1 Vendors11 Perkins Coie LLP PerkinsCoie.com
Onboarding and ContractingBoard should seek to understand Onboarding andContracting process.Many larger complexes have dedicated staff whocan provide an informational presentation to Boardon contracting process and standards.12 Perkins Coie LLP PerkinsCoie.com
Onboarding and ContractingThe Liability HoleAlmost all contracts with vendors include negligence orgross negligence liability standards and may limit damagesto fees paid; many vendors are dominant industry players(SunGard, Bloomberg, IBM), giving funds little leverage fornegotiation; and may or may not be well-capitalized.In a “liability stack”, may have unlimited liability on thebottom—fund losses—but capped liability at the top—vendorliability. This was true in the SunGard incident, followingwhich SunGard is reported to have further limited its liability.13 Perkins Coie LLP PerkinsCoie.com
Contractual RisksBest practices Identify risks and related contractual terms. Mitigate by endeavoring to negotiate bettercontractual provisions, including SLAs. Manage risk by building redundancies andprocesses to protect against potential harm(example, processes around patches) or seek tolay off through insurance, if feasible. Accept.14 Perkins Coie LLP PerkinsCoie.com
Vendor Risk Assessment & OversightProcess for Risk Assessment & Oversight can include: Questionnaires—covering topics such as vendor’spolicies, procedures and processes, IT and data securityprofile; business continuity. Collection of evidence or documentation covering areasof concern, which could include: professionalcertifications or licenses; SSAE 16, SOC 2, and SOC 3reports; policies and procedures; financial reports; andexternal or internal audit reports. Onsite visits.15 Perkins Coie LLP PerkinsCoie.com
Record-keepingVRM Program should include robust process forcataloguing all vendors, including profile systemshowing contract renewal schedule, risk ranking,oversight schedule, relevant business units, etc.Tip--Surprising how often firms do not have acentralized system; individual business units mayenter into vendor contracts with little or no legalreview over contracting.16 Perkins Coie LLP PerkinsCoie.com
Event and Board Reporting VRM Process should include process for receivingand documenting reports concerning materialincidents, including response and mitigation. Board should have a process for prompt reporting ofmaterial incidents to CCO, Audit Committee or BoardChair, as appropriate given reporting structures ofparticular Board. Board may wish to receive annual dashboardreporting on VRM process, with emphasis on Tier 1Vendors17 Perkins Coie LLP PerkinsCoie.com
By nightfall, BNY Mellon vendor SunGard Systems Inc. hadn’t been able to repair problems with its system, which allows money managers to give investors the values of their holdings. Thus began a weeklong crisis in one of the most ba
