Earlier this week, we looked at the Financial Services Authority’s (FSA) requirements for mobile voice recording, which comes into effect November 14. In today’s blog post, we look further into the PS10/17 requirements as well as the hot topics discussed at our recent hedge fund technology seminar in London, focusing on due diligence, mobile voice recording and disaster recovery.
Let’s have a look at some more of the hot topics discussed by our panel of experts at our recent seminar:
Will investors give less focus to infrastructure in the future? Will the hedge fund due diligence load lighten?
There is no sign that due diligence will lighten. In fact, more focus, especially with more institutional money hitting the FOFs, to ensure all risks are in the strategy and not the infrastructure. Remember most conduit investors’ “alpha” is in the quality of their due diligence process so expect to see further tightening. Growth has been exponential with little feedback to managers so it is extremely important to get strong service providers who can let you know the latest requirements.
My fund is not required to be registered under Dodd-Frank. How will the registration of many funds affect the business practice of those who do not register?
We are seeing that even those funds who are not required or choose not to register are changing their business practices to match the requirements of the registered funds with regard to archiving, record retention and disaster recovery. Whilst registration is a major part of the reason for looking at these changes, we are also seeing additional drivers such as increased productivity through, for example, mobile access to the message archive and increased interest in hosted, or cloud, solutions, is also driving the process.
What due diligence should a firm conduct when selecting a new (archiving) vendor? (We suggest that this be done for all vendors)
There are a number of key considerations that you should look at when selecting a vendor:
Experience in the financial sector will indicate a better understanding of your needs as a business
SAS70 Type II certification on data centres if your data is held off-site
Is there an independent evaluation of your vendor’s security, business and operational control?
Change Management (Software and Infrastructure)
Message flow and processing
Data import, extraction and destruction
Security policies and standards
Personnel policies and procedures (e.g. background checks and references)
Data privacy – where will your data be stored? What are the privacy implications of storing data in the United States?
There are currently very relaxed policies around what methods of communication may be used to talk to investors. How, and why, should we change these policies to be compliant with our responsibilities as a registered fund?
The requirement is to maintain indexed, searchable and available tamperproof storage for the electronic communications that you can use to conduct business. Complaints or issues that are initiated from communications over prohibited message types, such as Gmail can use Auditors to reconcile full company messaging against the complaint communication. Discrepancies can cause:
1) Failure to retain; and
2) Additional effort and expense in attempting to recover message from unrecorded sources, like Gmail, especially difficult for former employees. If you are not able to record it then it should be blocked, physically or by policy. That said many of the newer messages are now recordable, Social Media and Instant Messaging. It is just not about email.
How can a client maintain their internal or outsourced archiving and DR systems to ensure moves/adds/changes within the company are captured?
Clients can maintain their internal or outsourced archiving and DR systems by benefiting from outsourcing managed services with a certified Business Continuity Planning staff. Carry out regular testing - we recommend quarterly testing, limitation of AD Security and a six-month plan to update documentation.
Is there a one-size fits all solution investors are looking for?
There is not a mythical “one size fits all” solution. You have to look at business requirements for each firm to work out what is appropriate in terms of fall over solutions and accessibility. Firms should also perform a review of all services including telecommunications, data access and systems access to work out what is required to keep the business going and what is the path to full recovery. Different strategies have different requirements, and all solutions must be “appropriate.”
What do I need to do to be ready for an audit or e-Discovery?
Even the simplest audit has the potential to cause additional work. A large e-Discovery can have the undesired effect of taking key personnel off line and causing additional expenses.
Following these suggestions can assist in smoothing the process:
Ensure that you have evidentiary-quality records (end to end reconciliation);
Comply with your own policies on supervision and monitoring of communications;
Clearly define the scope and responsibilities of the appointed person to handle the event; and
Maintain a full audit trail of all the events on the archive (viewings, recoveries and messages flow may all be relevant).