Principal firms – are you getting governance of ARs right?
We work with many principal firms in the wholesale space, and some ARs as well. We have closely followed the work of the FCA in this area. We have found that firms in this space are often altruistic – they are not looking at the bottom line when providing services. They simply want to offer a platform and room for smaller firms to grow (often with founders that have gone through the same journey themselves). I appreciate this is not true for all principal firms – for some it is simply another income stream!
The altruistic approach has meant for some (but not all) principal firms that issues have now arisen where the FCA has increased the regulatory burden. Where a principal firm has focussed solely on the ‘day to day’ (often coupled with strong growth) they may not have the appropriate compliance and governance structures needed to support prompt and effective decision making (and critically, documentation of decision making).
This is an area worth spending time on – taking the ‘helicopter view’ and not looking from the bottom up (i.e., what tests should be conducted on an AR). Organic growth can lead to a less robust, hand on approach, without thought to the changes needed to bring efficiencies and clarity. Also, an ‘altruistic’ approach may mean principal firms are simply not charging ARs enough for the risk premium and resource required to not monitor ARs and assist with their compliance (assuming ARs do not have their own compliance resource). We’ll come back to these points later.
We’ve set out below a ‘straw man’ (or ‘straw woman’ – take your pick) of how AR oversight can take place within a principal firm. There is no one size fits all, of course, but it is a description principal firms should understand when reviewing their governance and internal structures (and risk management, including ICARA). Imperfect, but it describes key areas that would provide comfort to the Board/Partners and generally align with FCA requirements.
If the below prompts questions, we are more than happy to discuss a principal firms approach and provide you with feedback/our thoughts.
What might this structure look like?
Articulated risk appetite
So, this ‘straw person’ starts with the Board/Partners, and a principal's overall risk appetite. This is not the forum to explain risk appetite or go into depth on this topic, so this is a very brief explanation only. But just stating ‘low risk’ will not cut it. Sure, you might have a low risk appetite for being fined by the FCA (regulatory risk) and for handling stolen money/breaching sanctions (financial crime risk), but you’re likely to have a higher risk appetite for business risk i.e., commercial organisations typically like making money, and will take necessary risks to do so. Your risk appetite statement should set out these differences.
So, what is your overall risk appetite for ARs? How many ARs should you have? Or how about using 'stats' for all your ARs...so, a maximum of X individuals working in all ARs overall? A maximum AUM for advisory (management) assets, or total number of AIFs or total numbers of clients (retail/institutional)?
You can then home in on the finer detail of risks you are willing to accept. So, the risk appetite would inform/be informed by several areas – it should reflect the resources you have available or are willing to have available (financial, people and systems/controls) and the level of knowledge/experience (competence) available in different areas/sectors. What we mean by that is, you should not set such a large risk appetite that you are immediately setting yourself up to fail (because you simply don’t have the resources, people or systems in place)!
Once you start thinking in terms of high-level risk appetite, you can then start adding ‘handrails’ such as:
a) Perhaps only UK/London based ARs (or Glasgow/Devon, depending on where you are based, as you will need to visit them, check what they are doing and so on, unless you have staff and offices around the UK or overseas?)
b) Do you focus on corporate finance/venture capital/distributors/professional clients (some of which may be dictated by your license) – what is your business model? What other business models do you understand, and have knowledge/competence in?
c) Perhaps have some hard limits in certain areas i.e., no crypto/no algo’ funds/no retail customers?
You get the idea; it is a brief description of a complex area.
As well as qualitative criteria, it is worthwhile noting quantitative criteria (which is sometimes harder to visualise) i.e., amount of risk exposure in £, based on the risk you are willing to accept (overall and for different risks) by considering exposure in £ if things go wrong. This is critical for the ICARA process.
Once you have an overall understanding of the risks you are willing to accept via your ARs, you can also consider (alongside the overarching risk appetite) how much risk should be within one individual AR (think in terms of maximum size, staff numbers, AUM and such).
This risk appetite needs to be documented and articulated so that staff (and the FCA, potentially) understand it. Simplicity is key here, no window dressing is needed.
Once the Board/Partners (or any other, if delegated) have assessed and articulated the risk appetite, you should (if you haven't already) considered what resources are needed to manage these risks so you stay within your risk appetite (i.e., what is needed to mitigate/control each risk). You will also understand the areas of risk that need monitoring so you can ensure you stay within your set risk appetite on an ongoing basis.
Risk-based due diligence and monitoring
In terms of processes/policies and approach, the firm’s risk appetite and assessment of what is needed to manage risk should inform the:
a) due diligence process
b) onboarding and individual risk assessment of each AR; and
c) ongoing monitoring
A firm should be asking whether individual ARs sit within the risk appetite at the initial onboarding stage or on an ongoing basis, and where is the firm overall within the risk appetite considering all ARs?
Critically, there must be a feedback loop between an AR’s risk assessment (based initially on the information obtained at the due diligence/onboarding phase) and the ongoing monitoring of ARs. This cannot be emphasised enough.
The firm’s monitoring should be risk-based, linked to the risk assessment and bespoke to the overall level of risk and individual risks posed by the AR. This will mean going beyond the standard monitoring and prescriptive questions used to illicit information. To do so, monitoring and due diligence should be informed, but won’t be prescribed, by the risk appetite specific to ARs. What we mean by this is that the risk appetite will focus on key risks but won’t serve as an exhaustive list of items to monitor. We would not expect the risk appetite to articulate if ARs are late in registering with the ICO, for example.
We won’t go into detail on the granular detail of monitoring of ARs here (it is another lengthy topic). But, in summary, monitoring should structured and risk-based, well documented, with clear record keeping and follow up actions recorded/noted. Exceptions-based reporting will be needed for the ‘risk committee’ or other structure responsible (more on that later), with sample-based testing to review the effectiveness of monitoring, and changes implemented where it is found wanting.
This information flow is key as robust monitoring of ARs is not effective without oversight of the risks posed and the involvement of decision makers to decide what happens next. For instance, what action should be taken to accept, mitigate, or control the risk arising from the change in the ARs position? To give an obvious example, if an AR is onboarded with 3 months capital and cash, and during ongoing monitoring it becomes clear that it is now insolvent, the firm will need to decide what action is needed.
Structured decision making and monitoring
In terms of governance of ARs within a principal firm, if the principal firm already has a risk function and risk management committee (a full scope AIFM, for example), the risk management committee (RMC) could be given responsibility by the Board/Partners to manage the risk within ARs, to ensure this risk remains within the firm’s risk appetite. So, the RMC would become - or would oversee - decision making on the onboarding of ARs and ongoing monitoring. Key to its role would be understanding where the principal firm is within a) its overall risk appetite and b) where individual ARs sit within this risk appetite.
If a principal firm does not have an RMC, then they could create a risk committee or create a bespoke AR risk committee which would be stocked with senior decision makers, receiving information from ‘doers’ i.e., those engaged on onboarding/monitoring on a daily basis. Or the RMC could delegate authority to an AR risk committee to fufil this specific function (the RMC then act as the conduit between the AR risk committee and the Board/Partners, focussing on changes in risk levels and not minutia).
The key here is that:
a) There is a formal process for monitoring risk, with senior people engaged, and there is a specific forum for decision making and providing MI to the Board/Partners in changes to risk levels vs. risk appetite;
b) There should then be a formal documented process for changes in risk levels, and actions taken to mitigate risks. Such actions might include the removal of an AR or a change in monitoring (more detailed or a change in specific requirements such as requiring more capital/cash, for example). Key Risk Indicators (KRIs) might be used for individual ARs and ARs as a consolidated group, to inform the Board/Partners as to ongoing performance against those KRIs and inform what action is needed; and
c) Senior management should be engaged and their decisions informed by an assessment of resourcing, compliance with FCA requirements and critical assessments on future changes/potential problems and the prudential impact of those. For instance, flag issues within the market, resourcing issues, reference and lead on consumer duty within ARs and set out if risks have increased. All of these may mean more capital is required under the ICARA.
Other items can be included/delegated i.e., review of policies and procedures, consider the use of I.T in monitoring, management of staff including L&D plans, impact assessments for changes in risk appetite.
We have already referenced the ‘feedback loop’ between monitoring and oversight (and risk). The risk function in this structure becomes the fulcrum for this, as the arbiter of decisions to measure and take action to mitigate risk. The onus is on this body to ensure they are receiving the right information at onboarding/due diligence and via ongoing monitoring, so the principal firm has robust procedures in place, and is well resourced with competent and experienced staff/systems (whatever is needed to manage/mitigate risk). The risk function should also have a strong voice within the Board/Partners to ensure they are made aware of issues that may arise and how the ‘AR risk’ is being managed, and set out why certain decisions have been made/if further resources are needed.
The new annual reviews will provide a useful conduit to formalise this level of communication.
This may be considered overly formal or resource intensive; and in some firms I would agree. Individuals (if not committees) may instead pick up responsibility for the areas above, with perhaps more informal (but regular) communication and less detailed documentation/processes in place. Even if this is the case, documentation of risks and actions (and communication with the Board/Partners for risk management purposes) will be necessary. Whilst FCA rules generally are proportionate, firms without appropriate structures in place will need to accept a higher risk of regulatory action where they cannot clearly demonstrate good governance and timely actions to manage risk (and enough resources in place).
Commerciality
From a commercial perspective, I alluded earlier to the fact that many principal firms did not enter this market (on the investment side) to create a new business line solely focussed on maximising income. Many principal firms (including on the hosted solution side) simply wanted to provide a platform for others to have an opportunity to launch new enterprises. I can appreciate this stance. However, given the ever-increasing standards set by the FCA, I am unsure whether current fees charged by some principal firms will remain economical, certainly in the longer term. Particularly where ARs do not have their own internal compliance/financial crime resource and lean heavily upon the principal firm to fulfil these functions.
In our experience, a crude measure of resource needed (just for AR monitoring, in line with the higher requirements) is 1-2 days per quarter, per AR. Onboarding, due diligence (and risk assessments) can take several days per AR. In other words, for every 5 or so ARs you would expect a principal firm to have around 1 FTE (assuming trained and competent) simply for onboarding/monitoring. This does not account for senior staff oversight, and compliance oversight / senior management time.
There will be significant variance here, of course. Firms offering a ‘hosted solution’ model (AIFs, management and trading facilitated) including retail clients, will require greater resource compared to a principal firm that largely restricts their activities to say corporate finance firms dealing only with institutional investors.
Given the cost of compliance staff, recruitment, sickness/holidays, systems and controls and external advice, this is a significant burden for a principal firm. And it does not take into account situations where principal firms are also acting as 'in house' compliance/MLRO for ARs. Some principal firms did not charge separately for this, absorbing the extra costs, which is going to be extremely difficult to continue with the higher standards set by the regulator.
Whereas fees for an AR used to range (median fee) from 2-3k per month prior to FCA rule changes (on the wholesale side, advisory), stacked against the increased resource and higher FCA standards, this fee structure will only work where a principal firm is willing to fund these activities from their own pocket.
In other words, acting as principal on an ongoing basis is unlikely to be commercially viable at these rates.
Principals are increasingly considering raising standard monthly fees and creating (if they did not already have in place) a range of additional fees based on 'compliance' or other services.
The FCA would happily accept a reduction in principal firm providers, certainly if this meant an increase in overall standards. I don’t think we have seen the full impact of FCA rule changes and regulatory intrusion in the market yet. There may be a push for consolidation - or smaller principal firms may simply move away from this space altogether. My only conviction is that AR fees will move in one direction – upwards.
How can ComplyCraft help?
We work with a number of principal firms, as well as ARs. We know the rules and understand the pressures they can create. We are more than happy to discuss a principal firms approach and provide you with feedback/our thoughts, and help any principal firm if they need assistance in this area.
We’ve also developed extensive tools (policies and procedures) including due diligence questionnaires, risk assessments and ongoing monitoring.