Massimiliano Notarianni, Global Head of Network Management at Societe Generale’s wholesale banking division discusses some of the key issues affecting network managers, including the current and potential future impact of technology and the prospect of increased collaboration in the area of sub-custodian evaluation.

Managing the sub-custody network of an institution the size of Societe Generale is a considerable undertaking. We manage 85 markets and work with more than 130 sub-custodians. It is our responsibility to ensure that we select the most appropriate sub-custodian, for our clients’ activities and also for other wholesale business lines within the Societe Generale Group.

Over the last five years we have performed a number of sub-custodian migrations as the bar is set high by regulations. This does not necessarily mean that these sub-custodians don’t do a good job but rather their capacity to consistently maintain the high level we need them to operate at in the medium to long term is limited.

Our objective is to identify sub-custodians with a perspective that they are fit for purpose for the next five years and from the role my team plays in the oversight of sub-custodians, we are well aware that regulation has increased in relation to issues such as protection of client assets. AIFMD, UCITS V, and MIFID2 to cite just some examples underline the requirement for depository banks to undertake robust monitoring of the sub-custodians that hold their clients’ assets.

Applying external approaches internally

This has raised the bar in terms of how we inspect our sub-custodians, but within our own organisation we have also seen increased interest in applying the procedures we have adopted for clients to other business lines within the bank.

The number of sub-custodians over which we have oversight has grown and we are looking at other suppliers such as market infrastructures, which presents further challenges.

How we monitor these sub-custodians and infrastructures has also evolved to more in-depth analysis to ensure there are no potential structural issue for us as client and ultimately for our clients in the long term.

The due diligence process we perform has traditionally been seen as a snapshot exercise where we issue and review questionnaires, conduct pre-analysis and go into the market to reach a conclusion over whether the custodian is fit for purpose. These questionnaires are typically issued on an annual basis and subject to on-site due diligence reviews where the responses are discussed and verified.

While the standard questionnaire can be adapted to meet the specific requirements of the institution undertaking the evaluation, Thomas Murray refers to a number of common points in these documents. These include:

• Credentials – such as the respondent’s information; exact bank name; description of the regulatory environment; the bank’s group businesses; insurance policy for custody; and a description of the department and its business performance
• Asset safety and custody – including regulations; laws and market practices for custody; the account structure; information on the national central securities depository; control and reconciliation practices; and descriptions of any physical holdings
• Risk mitigation – for example, operational controls; audit; IT disaster recovery; business continuity; cyber security; financial crime prevention and know-your-client checks; and data protection
• Systems – such as reporting; protection of systems integrity; plans for system development; and IT performance
• Core Services – including settlements; asset servicing; taxation; cash; securities lending and borrowing; and client service management

Multifaceted approach to supplier review

The questionnaire can also include general client questions. However, even though the questionnaire and due diligence process addresses a wide range of risk subjects, we still have a hands-on ‘run the bank’ approach to the management and monitoring of these suppliers on a daily basis which supplements the formal questionnaire process.

Events of the last 18 months have increased the intensity in which we undertake monitoring. Throughout 2018, we have had instances where both sub-custodians and infrastructures have experienced significant system issues, which have had subsequent impacts on our business lines.

My view here is that there is a significant IT and regulatory catch-up taking place to change legacy systems and as a result of that pressure we are seeing more IT issues arise. It should therefore not come as a surprise that systems go down for significant periods of time as a result.

The upshot of the developments outlined above is that it is impossible to capture everything in the due diligence process – there will be new issues that arise and no matter what level of resources you devote to the due diligence process, it will never be watertight ex-ante.

We have conducted reviews of these issues to understand why they happened and particularly whether there are potential structural issues behind these system problems that might lead us to consider alternative suppliers.

Leveraging risk manager expertise

This has obvious implications for the network management team in terms of workload, although we have also drawn on the expertise of risk managers within the group to discuss issues such as business continuity.

Our second line of defences are working much more closely with the network management team not only to identify potential structural issues but also to build into our own business continuity procedures how we would react in the event of problems with our most significant sub-custodians and infrastructures.

In relation to cyber security, we are witnessing positive developments whereby regulators are organising business continuity exercises in the event that a major infrastructure is hit by a cyberattack. Internally, for every custodian we view as critical (that is, having a large amount of client and bank assets and/or presenting market concentration) we are documenting how we would react.

Internal contingency procedures reinforced

Increased regulatory focus on systemic banks means we also have to look to reinforce our own contingency procedures, which means demonstrating how we would support our clients’ day-to-day activities if we were in difficulty. One of the most important aspects of this is our migratory plan – in other words, how we would migrate client assets in an orderly fashion.

The most important response to any new issue is to ensure that you have learnt from it. When we go through the post mortem process there can be usually an assurance that external auditors will be engaged to provide an independent view and we have had instances where we have also been called into workshops to look at how resilience can be improved.

There is certainly a collegial approach to dealing with system issues and recognition that we can learn from each other’s experiences, which should provide additional assurance to investors. In the area of cyber risk, for example, I would expect that in the event of an attack, there would be co-operation across the industry to ensure the impact was minimised and all related parties learnt from the experience

Another challenge we face as an industry is how we can introduce technology to assist us in the sub-custodian evaluation process. With the increased number of inspections we have to perform and the need to perform them more in-depth, I would ultimately like to see some form of technology that could automate at least the basic aspects of these reviews.

The role of technology

Artificial intelligence may be the solution to increasing the bandwidth of the team to undertake more on-site, value added monitoring and spending more hands-on time with agent banks to undertake the actions required to mitigate risks rather than spending time on processing and documenting the due diligence process itself.

Societe Generale is already using artificial intelligence to perform evaluations in less complex areas of the business, for example reviewing simple legal contracts in the case of non-disclosure agreements and we are assessing whether this can be leveraged in our processes.

The time we invest in a more complex due diligence process and documenting the process to ensure we are able to prove to regulators that we have completed the process is considerable. This activity accounts for a significant percentage of our total workload, so I am constantly seeking ways in which my team can spend more time with our sub-custodians to mitigate the actual risks.

The future of sub-custodian evaluation

I have referred to the potential of artificial intelligence, although my initial perceptions are it would require considerable investment. There is also a case to be made for network managers from different institutions to work in a more collegial fashion given that we are all essentially conducting the same reviews on the same sub-custodians.

We have managed to standardise the due diligence questionnaire - can we do the same with the evaluation process? Perhaps that is the next challenge facing our industry.