Risk management of fund management companies and managers of collective assets: Overview of FINMA Guidance 04/2024

Classification¹

_{¹ This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and the specific need for action on an individual basis.}

Possible measures in the area of operational risk management

The new guidance is based heavily on FINMA Circular 2023/1 "Operational risks and resilience", which applies exclusively to banks and securities firms. Many of the principles set out in that circular can now also be found in the new guidance, albeit in a shortened and simplified form. This means that the principles on operational risk management established in the banking sector are also to be applied in a reduced form to fund management companies and managers of collective assets. FINMA reminds the institutions in these supervisory categories to fulfill appropriate risk management requirements in order to avoid weaknesses. The highest governance body should define the principles for the management of all material risks to which the institution and the assets it manages are exposed. This includes defining the risk tolerance and developing directives, procedures and processes for identifying, assessing, managing and monitoring risks. The management must implement these guidelines, designate suitable functions and report regularly. Both bodies must periodically review their policies and processes for appropriateness and effectiveness, particularly in the event of changes to business activities or organization.

The measures in the supervisory communication on the management of operational risks are broken down into the following areas:

• Management of ICT risks (information and communication technology)
• Management of the risks of critical data
• Management of cyber risks
• Business Continuity Management (BCM)
• Management of risks from cross-border service business (cross-border)
• Management of operational risks in the case of outsourcing

FINMA's expectations based on its supervisory activities and the licensing procedure

As part of its supervisory activities and the licensing procedure, FINMA has identified areas for improvement at numerous institutions. For example, each institution should keep an inventory of its key hardware and software components (ICT inventory) and this ICT inventory should be regularly reviewed to ensure it is up to date and complete. In addition, measures to manage cyber risks must be defined to ensure the prompt resumption of regular business operations after an attack and compliance with reporting obligations to FINMA and, if applicable, to the Federal Data Protection and Information Commissioner (see also our newsletter Cyber Attacks of July 13, 2024). Critical data must be identified and appropriate protective measures and controls must be defined. When determining the critical data of an institution, a holistic approach must be taken that includes not only personal data and customer data, but all data that is essential for the institution. Furthermore, the business continuity plan should be periodically reviewed and tested, and clear communication strategies for emergencies should be defined. 

In the area of legal and compliance risk management in cross-border business, the institution must analyze the legal framework of the respective country and take the necessary measures to mitigate the risk. In addition, the domiciles of the target customers should be included in the money laundering risk analysis and the relevant legal situation in the respective countries should be continuously monitored.

When outsourcing the risk control function, the institution should focus on the knowledge and experience of the service provider in the area of operational risk management. Key activities should be recorded correctly and completely in the inventory in order to avoid control gaps.

Applicability and significance for Portfolio Managers and Trustees under Art. 17 FinIA

Other than to fund management companies and managers of collective assets, the supervisory notice is, in principle, not aimed at other FinIA institutions such as Portfolio Managers or Trustees pursuant to Art. 17 FinIA and is therefore not directly applicable to them. Nevertheless, the supervisory communication contains numerous measures which, to a lesser extent and depending on the size, complexity, structure and risk profile of the institution, also make sense for less regulated institutions. For example, general guidelines on operational risk management or guidelines in the area of cross-border and outsourcing. Other FinIA institutions should also not ignore the marginal figures on cyber risk management and BCM.

Conclusion and outlook

FINMA Supervisory Communication 04/2024 once again emphasizes the most important measures in the area of operational risk management for fund management companies and managers of collective assets. Experience has shown that the measures can be implemented with manageable effort. Although other FinIA institutions are not directly affected, they should clarify the extent to which the supervisory notice is relevant or helpful for them, depending on the size, complexity, structure and risk profile of their institution. 

Contacts