If you were to get your car inspected today, there are dozens of things the mechanic must evaluate to demonstrate that your car is safe. The inspection checklist, required by law, includes things like checking safety devices (e.g., seat belts and head lights), testing the brakes and windshield wipers, and evaluating emissions control features.
Like cars, transfer agents are also regularly inspected. At its core, the purpose of this due diligence or operational oversight process is to demonstrate the strength of the transfer agent in helping the Fund manage financial, reputational and regulatory risk as it pertains to its transfer agency responsibilities.
Boston Financial has a comprehensive mix of policies, people, and processes in place to help clients with their operational oversight needs. Loosely aligned with the three lines of defense risk governance model, these include formal information security policies, the formation of committees to monitor operational quality, and third party penetration and vulnerability testing of the IT infrastructure (Figure 1).
Given the intricacy of the system, combined with the evolution of risk in our industry, how can an asset management firm begin to approach the operational oversight process?
Just as cars have evolved since the invention of the Model T in 1908, so have the rules regarding annual vehicle inspections. For example, in Massachusetts, cars manufactured before 1983 are exempt from emissions standards. The passage of mandatory seat belt legislation in 1994, led to the addition of the inspection of these devices to the annual safety checklist. While the car safety checklist has changed, the basic inspection process has not.
The same is true for your inspection of a transfer agent. Ideally the due diligence process is a continuous one collaboratively undertaken by the asset management firm and its business processing partner. This is why the fourth component of our operational oversight infrastructure is partnership. How a mutual fund company approaches their transfer agent “safety inspection” varies and may include any of the following: presentation by the transfer agent to the fund board of directors, on-site evaluations and strategy sessions, or reviewing the SOC1 or due diligence questionnaire.
At Boston Financial, we have seen the volume of due diligence questionnaires increase exponentially over the last three years, from three in 2012 to more than 50 in 2015 (YTD). We have delivered more than 70 information security presentations to our clients and their boards and client participation in our annual CCO Due Diligence Forum, hosted last month, was higher than it has ever been.
Coupled with the spike in volume, is a shift in the range of questions asked. Given the seriousness of the risk posed by cybercriminals along with the present-day SEC examination priorities, IT risk management questions are still king, at 72% of the questions answered (YTD) in 2015. However, we are now seeing a rise in questions about risk management at the business processing level. This tells us that clients and their fund boards are becoming more concerned about financial risks from an operational perspective and regulatory risks caused by non-compliance with state and federal rules.
Unlike the automotive industry, there are currently no formal rules governing transfer agent inspection. While there is no regulatory guidance, it is clear that checking under the hood of the transfer agent is no longer as simple as reviewing the SOC 1 report or accepting the SIG Lite as proxy for a vendor oversight questionnaire. Each client’s due diligence process is different and should be tailored as needed based on their internal risk governance procedures, risk ranking results, and the scope of services delegated to the transfer agent. What stays constant throughout is that the transfer agent understands and continuously demonstrates – both through day-to-day performance excellence, and through the due diligence process – that they are they are partnering with the asset manager in mitigating risk and meeting their “safety goals”.