CSSF Circular 22/811 : an upgrade of regulatory framework for fund administrators?

Key points

Scope

• The Circular applies to undertaking for collective investments (UCIs) administrators of regulated and non-regulated entities established or not in Luxembourg
• The CSSF makes no difference between delegation and externalization or outsourcing which are in scope of the Circular’s delegation requirement

Timeline

The Circular applies from 16 May 2022. A grandfathering period is granted to entities already acting as a UCI administrator at this date, which have until 30 June 2023 to comply with the Circular provisions.

Authorization

• The authorization requirement does not apply to entities already performing UCI administration as of 16 May 2022
• Management companies (chapter 15 & 16), Alternative Investment Fund Managers (AIFMs), foreign Investment Fund Managers (IFMs) performing administration functions of Luxembourg UCIs, Regulated Luxembourg UCIs and Credit Institutions should obtain an authorization from the CSSF to perform UCI administration activities
• UCI administrators should:
  • Apply for authorization from the CSSF in case of substantial changes with regard to operational models 
  • Notify the CSSF when there are substantial changes to aspects of delegation of critical or important operational tasks

Regulatory reporting

• UCI administrators should file a specific report with the CSSF at the latest five months after the financial year-end, starting 30 June 2023. This report will include significant information on the activity of UCI administration, human and technical resources

Administration activity

• The Circular makes a distinction between three administration functions: registrar, NAV calculation and accounting, client communication
• Only one service provider may be designated and responsible for specific UCI administration function for a UCI, across all compartments
• The specifics tasks of handling customer queries, regulatory compliance monitoring and record keeping apply to all three administration functions
• In case of delegation of compliance monitoring, restrictions and limits must be agreed upon in a contract between the UCI administrator and the delegate. Procedures should be in place to notify the UCI or its IFM of any instances of non-compliance without delay
• There is a new requirement to establish a documented procedure and an escalation process with regard to actions to take in the context of NAV errors and investment compliance breaches
• For Luxembourg regulated UCIs, the UCI administrator must inform the CSSF without undue delay when becoming aware that the UCI or its IFM does not properly fulfil its legal, regulatory or contractual obligations and/or does not notify the CSSF of NAV errors/breaches/incidents

Registrar

• The minimum coverage of the registrar function in terms of operational processes is described under §20
• Where intermediaries are appointed as authorized agents and representatives for subscriptions and redemptions of their units or shares, the ability of investors to deal directly with the UCI or IFM should not be restricted and this possibility should be explicitly and prominently mentioned in their offering documents
• Dispatching of confidential documents sent to investors must remain under the supervision of the UCI administrator

NAV calculation and accounting

• The minimum coverage of the NAV calculation and accountings function in terms of operational processes is described under §27
• The UCI administrator should exercise critical judgement regarding information received from third parties, such as the portfolio manager, and the production of NAV should encompass controls that must be adequately documented
• In case of delegation, the UCI administrator must remain in charge of the final step and validation of the NAV

Client communication

• The minimum coverage of the client communication function in terms of operational processes is described under §34
• The UCI administrator must have specific ex-post controls to ensures that documents are duly transmitted to the final investors

Organizational requirements

• A written contract setting out the roles, responsibilities, rights and obligations of each party must be concluded between the UCI administrator and the UCI and/or the IFM – a tripartite contract being recommended by the CSSF
• The UCI or its IFM should retain the power to give instructions to the UCI administrator or to withdraw the mandate with immediate effect when it is in the best interest of investors
• Rights of access to documents and data upon simple request should be granted to the UCI and when applicable, the IFM, the external auditor, the liquidator and the CSSF or any other national competent authority of a UCI
• The UCI or the IFM should be allowed to conduct on-site visits and the administrator should proactively communicate information, documents and data necessary to perform its duties to the UCI or its IFM
• The UCI administrator should answer requests from the external auditor or the national competent authority in a diligent and professional manner
• The offering document should disclose all entities covering administrative functions
• The UCI administrator must maintain a manual of written procedures and processes covering all administration functions. The minimum content of this manual is provided in §47 of the Circular. Procedures and processes should be kept up-to-date, considering the evolution of business and regulatory updates, and assessed and reviewed at least annually
• KPIs/KRIs should be in place and consider the services rendered, the number of UCIs, the compartments and unit/share classes administered, along with the volume and complexity of the UCIs
• The approval of new business relationships and new services should:
  • Follow a documented risk acceptance policy and decision-making process, compliant with the UCI administrator risk profile and providing escalation measures 
  • Include an adequate risk assessment and an appropriate, formalized and documented 
  • Follow sound and prudent management principles in its interest, promoting a sound risk culture
• With regard to conflicts of interest, UCI administrators must implement:
  • An effective and proportionate policy
  • Appropriate segregation of duties and activities considering the relationship with the UCI, the IFM and the depositary
  • A record of the types of activities and clients in which a conflict of interest entailing a material risk of damage to the interest of one or more UCIs or its investors has arisen or may arise
  • Disclosures to investors where conflicts of interest cannot be avoided
• When the administration and the depositary functions  of a UCI are performed by the same entity, functional and hierarchical separation between business lines must implemented, as opposed to a legal and structural independence, taking into consideration specific requirements of the sectoral legislation
• Means and procedures for information flows between the UCI administrator and the UCI depositary should be documented and formalized in an agreed-upon operating memorandum.
• The administrator should use different independent and reliable sources to confirm the existence of each kind of reconciled assets
• Adequate records, including a full audit trail, should be maintained and accessible to any authorized party
• Irreplaceable and critical physical documents initially kept by a delegate must be transferred to the UCI administrator without delay
• In case of change of UCI administrator, a proportionate and documented transfer process must be agreed upon
• UCI administrators must have at all times sufficient substance and resources which should be proportionate and adapted to the complexity of business. 4 eyes principle must be enforced at all times
• The person responsible for the UCI administration business line should be the head of operations, a conducting officer or a member of the management body and should prove to be of good professional repute and possess sufficient skills and experience
• UCI administrator’s work and activities must be formalized and documented in agendas and minutes of meetings recording decisions taken and oversight of delegation. Minutes must be available or accessible at the premises of the UCI administrator

ICT resources, Business Continuity and Disaster Recovery Planning

• The CSSF recommend to UCIs and IFMs to comply with the EBA Guidelines on ICT and security risk management implemented in Luxembourg by CSSF Circular 20/750¹
• A UCI administrator must have its  own technical and ICT infrastructures as well as procedures. Furthermore the UCI administrator must use a dedicated professional software to calculate NAVs and maintain unit-/shareholder registers, except when it is not proportionate to the volume and complexity of the UCI administered. When end-user systems (e.g. MS Excel, MS Access) are used, specific controls should be implemented to reduce and mitigate the risks associated to such systems
• A UCI administrator is required to safeguard the confidentiality, integrity and availability of information by implementing security systems and procedures and by granting access rights on a need-to-know/need to have basis
• Business continuity and disaster recovery plans must take into account the NAV calculation frequency. Secure back up of accounting and register positions at the end of each NAV calculation day should be stored in the European Economic Area, either in the UCI administrator’s premises, or by a service provider different from the one to whom the system is outsourced or by a group entity
• Regulatory developments in the field of ICT such as the upcoming Regulation on Digital Operational Resilience or the guidelines, recommendations or questions from ESMA should be monitored to amend or supplement the organizational requirements of the Circular

Delegation models

• Division of tasks must not result in a fragmentation which would impair coordination, supervision and which unnecessarily increases costs and risks
• A UCI administrator cannot outsource due diligence and oversight of delegates who should implement:
  • A procedure to select, monitor and change delegates. Auditors’ reports on the operating effectiveness of internal controls prepared in accordance to a recognized standard such as ISAE 3402 can be taken into account by the UCI administration for the organization of its monitoring
  • KPIs/KRIs monitoring at least annually
  • A review of the IT systems, operational processes and procedures
  • A review of the contracts/agreements
  • Regular contacts (calls, chats, meetings) at least monthly
  • Periodic due diligence including on-site and virtual visits. Recourse to virtual on-site visits is not deemed sufficient
• A written contract should be concluded between the UCI administrator and the delegates. The UCI administrator must also implement procedures and processes to efficiently monitor the delegated activities. The results of the due diligence and ongoing oversight must be formalized in writing
• In order to guarantee access to its data at all times, a UCI administrator must have immediate and unlimited editor access to the delegate’s systems. If it is not possible, the UCI administrator must be provided with a non-restrictive and immediate reader access allowing extraction of the data necessary to perform its duties
• The UCI administrator should assess whether or not the third parties and investors concerned by the delegation should be informed or their consent be confirmed. In case of transfer of information to a third party, the UCI administrator must ensure the UCI or its IFM, when applicable, has accepted the delegation of the service, the type of information transmitted and the country of establishment of the delegate. The CSSF also reminds that investors should be informed prior to any transfer of their data
• The BCP should pay attention to the revocable nature of delegate and the UCI administrator must always be able to take over or transfer to alternative service provider. In any case the UCI administrator should retain sufficient staff to not qualify as a letter-box entity
• The UCI administrator must perform an independent review of any due diligence or oversight conducted by another group entity to ensure the overall delegation model remains under the control of the UCI administrator
• Any requirements applicable to delegation apply mutatis mutandis to sub-delegation and subsequent sub-delegation. The CSSF prohibits delegation or sub-delegation of UCI administration outside the group or to an entity which is not supervised by the CSSF
• Delegation of critical or important operational tasks should be notified to the CSSF threemonths before the task is delegated. The notice period is reduced to one month when the task is delegated to a PFS
• In any event, the UCI administrator remains fully responsible to comply with laws and regulation as regards to delegation and must assess the criticality or importance of tasks should be assessed against the impact of a failure in their performance  on:
  • Its continuous compliance with the conditions of its authorization and or other legal and regulatory obligations
  • Its financial performance
  • The soundness or continuity of its activity