Vigilance in a Virtual World: Operational Due Diligence in a Remote Working Environment

1. Introduction

In early 2020, as the Covid-19 outbreak became a global pandemic, country after country started to enter into lockdown and industries, including investment management, had to adjust quickly to working remotely. In anticipation of and reaction to the successive waves of changing operational risk, Man FRM undertook several stages of additional operational due diligence (‘ODD’). The initial stages, which commenced as lockdowns were starting in Asia but not fully in place elsewhere, involved focusing on the preparation of investment managers to ensure they were able to operate all processes remotely. Market volatility in March moved attention to heightening risks, including insufficient excess cash, margin call pressure, ISDA¹ covenant breaches, redemption pressures and associated going concern risks.

Whilst some sort of relative stability has returned, it is difficult to determine when working remotely will no longer be the default. This article looks at the challenges the current environment presents to ODD – what new risks are there to assess, how can ODD be conducted and will this change how ODD looks in the future?

2. Where Are We Now?

Following the latest government guidelines, investment managers in Asia are starting to move some employees back to offices, but elsewhere, most investment managers continue to work remotely. The alternative investment industry has seen a gradual move to replace physical workplace recovery sites with remote-working technology over the last few years, meaning these capabilities are assessed as part of standard ODD meetings. If we are looking for a silver lining, it is fortunate that Covid-19 has occurred at a time where remote-working technology has meant minimal disruption at investment managers. However, working remotely still presents new considerations for ODD, both in terms of risk areas to assess and how to conduct these risk assessments.

2.1 New Operational Risk Considerations

Working remotely does not change the high level risks that require assessment, but it does introduce new challenges to the controls that investment managers have in place to mitigate these risks. When government guidance changes and offices reopen, it is possible that a larger proportion of investment management staff will choose to work from home (at least part of the time). These new risks are therefore likely to remain present post Covid-19 and will form part of ODD considerations going forward. Investment manager policies and procedures on different areas (as mentioned below) will need to adapt, not only during Covid-19, but also for the future as the work force becomes more flexible.

2.1.1. Cash Controls

Fraud risk is a key part of ODD assessments. Strong controls on cash movements significantly mitigate this risk. Systematic controls, such as use of external administrator provided payment portals with controlled user access, should continue to be used wherever possible. The risk of fraud becomes heightened for payments that require physical signatures (e.g. Letters of Authorisation or ‘LOAs’). There should be a continued focus on the controls in place and how these are currently being monitored. Cyber-security protections may prohibit remote printing (and therefore physical signing) of payment instructions. Whilst moving from ‘wet ink’ signatures to electronic signatures may be more efficient, it could increase the risk of fraud if there is unauthorised access to these electronic signatures. Over-reliance on email requests for payments may also leave investment managers open to targeted phishing emails.

2.1.2. Cyber-Security

KnowBe4² (a cyber-security vendor) has noted an increase in phishing emails during Covid-19; the most popular being fake password reset requests followed by emails claiming to provide information on the pandemic. Working remotely is a new experience or many individuals and outside the familiar office settings, cyber-security vigilance may decrease. Investors should therefore continue to assess the cyber-security awareness of their investment managers. Investment management staff should only be using company networks and not personal emails; cyber-security training should be conducted; and scheduled phishing campaigns should not be delayed until the return to the office.

2.1.3. Compliance

Whilst acknowledging that this is practically more difficult given the compliance function is also operating remotely, key controls that exist in the office, including trade surveillance and MNPI³ escalations, should continue in full. Investment managers with high levels of automation will have an advantage as long as trading is completed only on systems connected to the company network. Compliance should remain in contact with high-risk employees – such as traders, portfolio managers and sales staff. This could be done by perhaps increasing volumes of sample checks, particularly where there is less automation to create a strong reminder of the presence of compliance. Other protocols will also need to be re-assessed, such as the use of recorded phone lines by key staff (where applicable). Compliance should continue to require all staff to attest to policies such as confidentiality, anti-money laundering (‘AML’), and market abuse. Compliance training should continue to be provided to employees and can be used as a reminder that the compliance function remains as important as ever.

2.1.4. Video Conferencing

The use of video conferencing (‘VC’) technology has increased significantly during Covid-19 and had not necessarily been factored into compliance processes before this period. Given the multitude of platforms available, an investment manager may not be in full control of which platform external meetings take place. Investment managers should have a policy in place for the use of VC – particularly for employees subject to communication monitoring. Although VC may feel more informal than standard office meetings with external parties, compliance policies should require the use of dialling into VC meetings via recorded lines rather than device audio. Brokers (and other high-risk third parties) should be required to inform compliance teams of their own VC policy and provide details of employee attendance on these VC meetings upon request. Employees should be regularly reminded of their responsibilities whilst working remotely (e.g. via the attestations mentioned above).

2.2. Operational Due Diligence

ODD, whether for new or existing investments, has always required onsite meetings. Despite offices closures and global travel being severely limited, ODD needs to continue even though onsite visits are not an option.

2.2.1. New Investments

The need to deploy new capital on behalf of clients now must be balanced against ensuring the same standards of ODD are maintained, in order to safeguard client capital in the absence of an onsite due diligence visit.

Where an onsite visit is unable to take place, obtaining references from parties who have previously conducted onsite due diligence is a useful way of independently confirming existence of the investment manager and the office. ODD teams can also leverage investment teams (who may have been onsite) and other independent service providers.

In the absence of visits, VC meetings can be used to conduct ODD in the interim. ODD meetings should continue to involve the same key non-investment professionals as an onsite visit would. Independent verification of trade and operational processes via systems reviews and trade walkthroughs will need to continue, so investment managers should be prepared to demonstrate systems remotely through VC or other methods.

Remote ODD meetings should be conducted with cameras on in order to replicate as much of the onsite experience as possible. This will assist with key onsite benefits such as observing the interactions and body language of people but will not be able to replicate it in full. There are, however, still adaptations to be made both on the side of the investment manager as well as the investor. Increased flexibility will be required for VC meetings. Lengthy 3- or 4-hour meetings may no longer be possible as in many circumstances children remain at home and people may have other household members that are dependent on them. VC meetings give more flexibility and it is likely to be more convenient for everyone involved to split meetings up into several smaller chunks. Without access to printed agendas and materials, ODD teams will need to ensure their home set-up is appropriate to be able to access the required information during the meeting. Any VC-based ODD approval should be followed up with an onsite visit as soon as it is practicably possible.

There are some documents that investment managers historically have only made available for review onsite, such as compliance policies and regulatory exit letters. With no ability to review these onsite, there will need to be a change in process. Alternative methods of sharing these documents while maintaining confidentiality will need to be agreed. This could take the form of secure data rooms that allow read only access for a period of time, sharing documents on screen during virtual ODD meetings or other equivalent formats.

Background checks on key personnel, including confirmation of educational credentials and criminal record checks, are a key part of the ODD process. With education centres and court-houses having been closed after the onset of the pandemic, completing this part of the process in lockdown has not always been possible. Some comfort can be gained where providers have previously completed background checks from earlier dates. As Covid-19 lockdown measures start to ease in various jurisdictions, obtaining this information is becoming easier; however, there will still be a backlog of checks to get through. In the interim, it may be helpful to acquire an attestation from the manager that a background check was performed with no issues identified.

As with all ODD reviews, the level of risk and potential areas of concern will vary from investment to investment. Whilst working flexibly to assess risks during this period, there may be instances where enough comfort cannot be gained without an onsite visit or detailed background check, and approval of the investment may have to be delayed. Flexibility is important but should not be prioritised over security: the most important function of ODD is protecting investor’s capital from high levels of operational risk.

2.2.2. Ongoing Monitoring

The ODD risk for existing investments is lower than new investments given that onsite visits will previously have been conducted, in many cases on numerous occasions. VC can therefore be used in the interim to re-assess the controls in place. Issues mentioned above, such as availability of documents and any required background check updates, remain present for ongoing monitoring.

3. Where Are We Going?

Covid-19 has introduced an unprecedented change to the way the investment management industry goes to work. Normality will eventually return; however, it is unlikely office work will look exactly the same as it did before. By and large, working remotely has been successful, which will result in employers being more comfortable letting some staff work from home on a regular basis. Business travel will also resume at some point, but it is currently unclear whether it will be to the same scale, or indeed, whether people will feel safe enough to travel frequently. So what will ODD frameworks look like in the future?

For the most part, we don’t believe there will be significant changes to ODD processes. It is highly unlikely that VC meetings will entirely replace onsite ODD – there is too much to be gained from face-to-face meetings when assessing the risk of an investment. Key risks will remain the same and the questions that were asked before Covid-19 will continue to be asked. This doesn’t mean though, that all the adaptations put in place during this period will be abandoned when we all move back into the office.

Virtual ODD may still have a part to play. Given the uncertainty on when business travel will resume, ODD for investment managers abroad will continue to be virtual. The frequency of travel for onsite meetings may be revisited: whilst ongoing monitoring for investment managers that are considered higher risk would continue to be performed onsite, perhaps there is an argument for onsite visits on a less frequent basis for lower risk managers, and instead using VC meetings in the interim. Access to documentation required for ODD may become easier. When methods of virtually viewing documents traditionally only viewed onsite are agreed, there is no reason why this access cannot continue when normality returns. This would allow greater preparation in advance and therefore shorter, more tailored meetings.

4. Conclusion

Covid-19, in forcing a prolonged period of remote working, has provided the investment management industry with important feedback on technology resilience, staff being able to fulfil work responsibilities remotely and the robustness of key stakeholder relationships. The entire industry was jolted into a new way of working and a new relationship with technology, which probably accelerated some changes that would have occurred anyway. Whilst some adaptations are temporary and cannot replace tried-and tested-methods, some changes will continue and may help to increase the efficiency of ODD.

1. International Swaps and Derivatives Association.
2. Source: KnowBe4; Q1 2020 KnowBe4 Finds Coronavirus-Related Phishing Email Attacks Up 600%; 9 April 2020.
3. Material non-public information.