Sheenagh Gordon-Hart, Independent Director at The Director’s Office
The first quarter of 2024 has passed very quickly and, while the geo-political problems we face seem to be growing by the day, there is an air of optimism that one hopes is not ill-founded.
That air of optimism was in evidence at last week’s ALFI conference here in Luxembourg.
Combining the Global distribution conference with the European asset management conference seems to have struck a chord and the two-day event was well-attended by over 700 participants with standing room only for several sessions: a sure measure of success. Key topics covered included: distribution, governance, regulation and technology, the latter naturally including sessions on blockchain, tokenisation and Artificial Intelligence (AI). On the regulatory front, there was coverage of ELTIF 2.0 which everyone hopes will finally be a much-improved framework, capable of capturing greater opportunities for asset managers; ‘piano, piano’, as the Italians say. While I remain somewhat skeptical about whether this reboot will adequately address the shortcomings of the original ELTIF, it was reported at the conference that there are 40 new ELTIFs in the pipeline, in spite of the fact that the ink isn’t dry on the accompanying technical standards: in February of this year there were 101 ELTIFs in Europe of which 65 are Luxembourg domiciled, so it seems the market is convinced that ELTIF 2.0 will be a success and that Luxembourg will continue to be the main centre for such products. Amongst other regulatory subjects discussed was the Commission’s Retail Investment Strategy, which if framed correctly could provide a major boost for asset managers everywhere – that is, if somehow it starts to unlock all those bank deposits to which European savers are wedded. The jury is out on that: not just because there are yawning gaps between those who would abolish any form of retrocession or inducement and those for whom inducements are embedded in market practice for example, but also because of politics – this is an election year and will see the EU with a whole new parliament and Commission before year-end, so who knows where the policy dice will fall?
Serge Weyland, the new CEO of ALFI, opened the second day of the conference in an upbeat fashion and in a recent interview noted that (sometimes) the ‘pan-European regulator does not do its job properly’, in relation to some of the basics of investor protection such as the treatment of investment breaches and NAV errors. He also warned against excessive tightening of rules that could squander and destroy the EU’s unique UCITS dividend. How refreshing! It certainly looks as if he will raise his quiet voice in the right places to ensure Luxembourg’s asset management sector continues to thrive.
On the issue of technology, one of the current subjects that is a source of concern amongst Luxembourg asset managers, service providers and independent directors is DORA, the EU’s Digital Operational Resilience Act, a regulation that will be effective from January next year. Article 1 of DORA sets out that the regulation addresses ICT risk of financial entities. The regulation requires financial entities to follow strict rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents with accompanying requirements on risk management, incident reporting, resilience testing and third-party risk monitoring. In short, financial entities will have to explicitly address cyber threats and ensure there is a robust control framework to prevent and mitigate cyber threats. Over recent years, boards of asset management companies have increasingly requested reporting on cyber security from their service providers as incidents of cyber breaches have increased in number and impact. Now DORA will require boards to adopt a written policy, reviewed at least once a year, assigning internal responsibilities as part of the governance framework for the use of ICT services supporting critical or important functions, as well as having a documented exit plan where a third-party provider is contracted for the provision of such services. The complexities associated with DORA come into sharp relief in a jurisdiction like Luxembourg with so much of its business being cross-border and outsourcing a core part of the asset management eco-system. Boards will not only have to acquaint themselves with the new regulation but are explicitly required to keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact and directors will also have to undertake regular relevant training. For directors who haven’t familiarised themselves with DORA, the time to catch up is now and time is running out. And for those whose eyes glaze over at the thought of getting into the technology weeds, maybe the sanctions in case of breach will make you pay attention: administrative fines of up to 5 million euros for a physical person or 5 million euros or 10% of turnover for a corporate. A point independent directors should consider is the security and resilience of their own ICT framework, starting perhaps with their email: how secure is it? Some independent directors will have the ability to conduct their business through hopefully secure client portals, but where that isn’t an option, additional measures may be necessary. Here at The Directors’ Office, we have our own IT infrastructure and have recently completed a review to ensure we have the resilience we need, one of the benefits of operating within a co-operative college of independent directors.
So as usual, plenty going on in Luxembourg but for now Happy Easter to everyone.
